keyids in signatures getting corrupted, GPG and/or Debian problem?

Thu Apr 1 21:32:14 CEST 2004

On Wed, Mar 31, 2004 at 12:44:51AM -0500, David Shaw wrote:
> On Tue, Mar 30, 2004 at 08:24:00PM -0500, Jason Harris wrote:

> > the bogus subkey binding signature was hard to miss:  0x12F506C8.
I meant to add:                                ^ not

> Jason, how on earth did you find this?  Really awesome discovery, and
> an interesting problem.  I have a suspicion on how it happens, though

The patterns in the "bogus" signature looked weird (kjsl output):

  sub  2048g/AC0E538A 1998-04-28
       Key fingerprint = F5AF 74B5 3257 FB0B 85DA  AAD6 B3D3 34D5 AC0E 538A
  sig  0x18  12F506C8 2003-12-17 [keybind, hash: type 2, 2d 09]
  sig  0x18  12F506C8 2003-12-17 [keybind, hash: type 2, 2d 09]
  sig  0x18  12F506C8 1998-04-28 [keybind, hash: type 2, 3d 0a]
  sig  0x18  12F50910 2003-12-17 [invalid signer? corrupted signature?, hash: type 2, 2d 09]

and _this_ looked even weirder (GPG 1.2.4 output):

  sub  2048g/AC0E538A 1998-04-28
       Key fingerprint = F5AF 74B5 3257 FB0B 85DA  AAD6 B3D3 34D5 AC0E 538A
  sig!        12F506C8 2003-12-17   Peter Sjoberg <peters techwiz.ca>
  sig!        12F50910 2003-12-17   [User id not found]

> All of that said, I'm not too worried about this.  It's annoying, but
> ultimately harmless.  The corrupt sig will not validate (though the
> sig itself is actually good, the bad issuer means the key that issued
> it will never be found), so it will be ignored.

Except where the issuer is irrelevant.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20040401/9a745981/attachment.bin