Keyserver rejection filter and signing subkeys
Werner Koch
wk at gnupg.org
Wed Jul 30 10:22:34 CEST 2014
On Tue, 29 Jul 2014 20:11, kristian.fiskerstrand at sumptuouscapital.com
said:
> Is this something that should be considered a regression, or do we
> simply mark it as per design and that the primary key ID should always
Yes, that is a regression. It would also render the --auto-key-retrieve
option useless if a signing subkey has been used.
To fix that we need to pass the keyblock and not just the key to the
filter function. However this partly defeats the purpose of the filter
if a a faked subkey has been attached to a key and uploaded to the
keyserver. As long as the keyserver does not verify the key binding you
would import a foreign key while verifying a signature done with the
faked subkey.
> be used. If so, should a reference to the primary key fpr be printed
> along with the subkey ID when doing --verify?
That is a different question but it already works:
$ gpg --verify --with-fingerprint foo
gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID 77F95F95
gpg: Good signature from "Werner Koch <wk at gnupg.org>"
gpg: aka "Werner Koch <wk at g10code.com>"
gpg: aka "Werner Koch <werner at eifzilla>"
Primary key fingerprint: 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367
Subkey fingerprint: E4B8 68C8 F90C 8964 B5AF 9DBC 4F05 40D5 77F9 5F95
Technically the printing of the fingerprint is not done by the signature
verification part. If we want to make that the default we I would
suggest to have something like this:
gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID 77F95F95
gpg: Primary key fingerprint: 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367
gpg: Subkey fingerprint: E4B8 68C8 F90C 8964 B5AF 9DBC 4F05 40D5 77F9 5F95
gpg: Good signature from "Werner Koch <wk at gnupg.org>"
gpg: aka "Werner Koch <wk at g10code.com>"
gpg: aka "Werner Koch <werner at eifzilla>"
the line will be too long, though. Reformatting that for 2.1 ?
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list