Always use GPG fingerprint instead of key ID #77

sebastianheuer · 2016-08-17T11:56:43Z

The key ID is not a reliable criteria for validating GPG keys: http://www.golem.de/news/keyserver-chaos-mit-doppelten-pgp-key-ids-1608-122733.html

theseer · 2016-08-17T16:46:26Z

To clarify this a bit:

As it looks like GnuPG only returns the long key id in --verify operations:

[GNUPG:] BADSIG 9D8A98B29B2D5D79 phar.io <team@phar.io>

[GNUPG:] ERRSIG 4AA394086372C20A 1 10 00 1405769272 9

So we only have the (long) key id to search with at the key servers.
We already show the fingerprint when asking to import the key into the keyring.

But since the key id might not actually be as unique as we thought, there might be multiple keys matching. Phive needs to get enhanced to handle this situation and iterate over candiates.

sebastianheuer added the enhancement label Aug 17, 2016

sebastianheuer added this to the 0.7.0 milestone Aug 17, 2016

sebastianheuer removed this from the 0.7.0 milestone Apr 20, 2017

theseer added this to To Do in Next Release Aug 26, 2017

theseer mentioned this issue Feb 25, 2018

Invalid Getting PHIVE on phar.io #131

Closed

sebastianheuer removed this from To Do in Next Release Jul 6, 2018

theseer closed this as completed Jul 11, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Always use GPG fingerprint instead of key ID #77

Always use GPG fingerprint instead of key ID #77

sebastianheuer commented Aug 17, 2016

theseer commented Aug 17, 2016

Always use GPG fingerprint instead of key ID #77

Always use GPG fingerprint instead of key ID #77

Comments

sebastianheuer commented Aug 17, 2016

theseer commented Aug 17, 2016