Multiple signatures after import.

Yenot yenot@sec.to
Mon Apr 14 11:07:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 13 April 2003 11:40 pm, David Shaw wrote:
> On Sun, Apr 13, 2003 at 12:00:32PM +0400, Yenot wrote:
> >
> > I did some more testing.  To me, it looks like GnuPG 1.2.1 *is*
> > merging non byte-for-byte signatures -- but the result depends
> > on the order of operations.
> >
> > For a test case, I've attached "bob1.asc" and "bob2.asc".  Both
> > files contain the same key for UID "bob@test.com".  In both files
> > there is a single self-signature on the UID, but the self-signature
> > in "bob1.asc" has a creation date 13 seconds before the signature
> > in "bob2.asc".
> >
> > gpg --import bob1.asc bob2.asc  [Keeps both signatures.]
> > gpg --import bob2.asc bob1.asc  [Removes older signature in bob1.asc]
>
> This is not signature merging.  Given two valid self-signatures, GnuPG
> will not import an older self-signature if a newer one is present.
> (Even if it is present, the older of the two it is ignored.)

When importing a key multiple times, the process of combining the
signatures on both keys to form a united key is called a "merge".
This term is well established in PGP literature.  The fact that
you're trying to bend terminology to justify GnuPG's behavior,
is an indication that GnuPG's behavior could be improved.

It took me a long time to figure out exactly what GnuPG was doing.
The complexity lies in the fact that the resulting keyring depends
on the order in which signatures are imported.  This complexity
could be simplified in one of 3 ways:

1)  GnuPG could keep all signatures (what PGP 8.02 does)
2)  GnuPG could *only* keep the latest signature (drop obsolete data)
3)  GnuPG could print a message that it's ignoring an older signature
    (better than nothing)

It's also confusing that multiple signatures created on the same day
by the same key appear to be duplicates in GnuPG.  Since GnuPG
doesn't show the hour/minutes/seconds, the end user has to whip out
pgpdump to figure out that the signatures are in fact different.
Other than solution (2) above, I don't have any good suggestions for
solving this problem.  I realize that displaying the full time info
would occupy a significant amount of screen realistate. :(

 - Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+mneWP247TY29IxARAtgsAJ97gzJYhKQJHQM+B0wMdsw0jOLSnACeOZzG
+cZHArBUOf5Zyzh1FioHmNE=
=RzLW
-----END PGP SIGNATURE-----