Multiple signatures after import.
David Shaw
dshaw@jabberwocky.com
Mon Apr 14 21:17:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Jan 01, 1970 at 12:00:00AM +0000, Yenot wrote:
> On Sunday 13 April 2003 11:40 pm, David Shaw wrote:
> > On Sun, Apr 13, 2003 at 12:00:32PM +0400, Yenot wrote:
> > >
> > > I did some more testing. To me, it looks like GnuPG 1.2.1 *is*
> > > merging non byte-for-byte signatures -- but the result depends
> > > on the order of operations.
> > >
> > > For a test case, I've attached "bob1.asc" and "bob2.asc". Both
> > > files contain the same key for UID "bob@test.com". In both files
> > > there is a single self-signature on the UID, but the self-signature
> > > in "bob1.asc" has a creation date 13 seconds before the signature
> > > in "bob2.asc".
> > >
> > > gpg --import bob1.asc bob2.asc [Keeps both signatures.]
> > > gpg --import bob2.asc bob1.asc [Removes older signature in bob1.asc]
> >
> > This is not signature merging. Given two valid self-signatures, GnuPG
> > will not import an older self-signature if a newer one is present.
> > (Even if it is present, the older of the two it is ignored.)
>
> When importing a key multiple times, the process of combining the
> signatures on both keys to form a united key is called a "merge".
> This term is well established in PGP literature. The fact that
> you're trying to bend terminology to justify GnuPG's behavior,
> is an indication that GnuPG's behavior could be improved.
Well, I guess you can call the reject-old-sigs behavior whatever you
like. Incidentally, I don't need to "justify" any behavior in GnuPG.
You asked what GnuPG was doing. I answered. Don't like it? Send in
a patch. (Hint - file g10/import.c, lines 1689-1690).
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+mwlc4mZch0nhy8kRAgfjAKCTL7P0COsQHjsp8gqZrYcRym6zNACgsfU+
QYoi+obVcGv9BaMPaiaLZYE=
=seop
-----END PGP SIGNATURE-----