Keyserver rejection filter and signing subkeys

Werner Koch wk at gnupg.org
Wed Jul 30 10:22:34 CEST 2014 

On Tue, 29 Jul 2014 20:11, kristian.fiskerstrand at sumptuouscapital.com
said:

> Is this something that should be considered a regression, or do we
> simply mark it as per design and that the primary key ID should always

Yes, that is a regression.  It would also render the --auto-key-retrieve
option useless if a signing subkey has been used.

To fix that we need to pass the keyblock and not just the key to the
filter function.  However this partly defeats the purpose of the filter
if a a faked subkey has been attached to a key and uploaded to the
keyserver.  As long as the keyserver does not verify the key binding you
would import a foreign key while verifying a signature done with the
faked subkey.

> be used. If so, should a reference to the primary key fpr be printed
> along with the subkey ID when doing --verify?

That is a different question but it already works:

  $ gpg --verify --with-fingerprint foo
  gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID 77F95F95
  gpg: Good signature from "Werner Koch <wk at gnupg.org>"
  gpg:                 aka "Werner Koch <wk at g10code.com>"
  gpg:                 aka "Werner Koch <werner  at eifzilla>"
  Primary key fingerprint: 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
       Subkey fingerprint: E4B8 68C8 F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95

Technically the printing of the fingerprint is not done by the signature
verification part.  If we want to make that the default we I would
suggest to have something like this:

  gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID 77F95F95
  gpg: Primary key fingerprint: 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
  gpg:      Subkey fingerprint: E4B8 68C8 F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95
  gpg: Good signature from "Werner Koch <wk at gnupg.org>"
  gpg:                 aka "Werner Koch <wk at g10code.com>"
  gpg:                 aka "Werner Koch <werner  at eifzilla>"

the line will be too long, though.  Reformatting that for 2.1 ?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list