Multiple signatures after import.

David Shaw dshaw@jabberwocky.com
Mon Apr 14 21:17:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jan 01, 1970 at 12:00:00AM +0000, Yenot wrote:
> On Sunday 13 April 2003 11:40 pm, David Shaw wrote:
> > On Sun, Apr 13, 2003 at 12:00:32PM +0400, Yenot wrote:
> > >
> > > I did some more testing.  To me, it looks like GnuPG 1.2.1 *is*
> > > merging non byte-for-byte signatures -- but the result depends
> > > on the order of operations.
> > >
> > > For a test case, I've attached "bob1.asc" and "bob2.asc".  Both
> > > files contain the same key for UID "bob@test.com".  In both files
> > > there is a single self-signature on the UID, but the self-signature
> > > in "bob1.asc" has a creation date 13 seconds before the signature
> > > in "bob2.asc".
> > >
> > > gpg --import bob1.asc bob2.asc  [Keeps both signatures.]
> > > gpg --import bob2.asc bob1.asc  [Removes older signature in bob1.asc]
> >
> > This is not signature merging.  Given two valid self-signatures, GnuPG
> > will not import an older self-signature if a newer one is present.
> > (Even if it is present, the older of the two it is ignored.)
> 
> When importing a key multiple times, the process of combining the
> signatures on both keys to form a united key is called a "merge".
> This term is well established in PGP literature.  The fact that
> you're trying to bend terminology to justify GnuPG's behavior,
> is an indication that GnuPG's behavior could be improved.

Well, I guess you can call the reject-old-sigs behavior whatever you
like.  Incidentally, I don't need to "justify" any behavior in GnuPG.
You asked what GnuPG was doing.  I answered.  Don't like it?  Send in
a patch.  (Hint - file g10/import.c, lines 1689-1690).

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+mwlc4mZch0nhy8kRAgfjAKCTL7P0COsQHjsp8gqZrYcRym6zNACgsfU+
QYoi+obVcGv9BaMPaiaLZYE=
=seop
-----END PGP SIGNATURE-----