dealing with misplaced signatures
dshaw at jabberwocky.com
Tue Jul 31 23:29:10 CEST 2012
On Jul 31, 2012, at 11:13 AM, Daniel Kahn Gillmor wrote:
> On 07/31/2012 01:39 AM, Georgi Guninski wrote:
>> Was the sig of the subkey made with vanilla gpg or was it manipulated?
> examining the sig, it happens to be byte-for-byte identical with a sig
> on one of the User IDs.
> As a result of gpg's (faulty) moving of the sig to the last user ID, we
> see the same sig show up after several of the User IDs as well.
What's happening here is that the key is mangled on SKS (whether SKS mangled it or it was imported already mangled doesn't matter). GPG fetches it, and there is some code to move misplaced packets to the right place. Unfortunately, as you noticed, that code does not work if there is more than one user ID.
This code actually dates to 1998. The comment: "* Note: This function does not work if there is more than one user ID."
More information about the Gnupg-devel