Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to extract from signature when long keys are used in ~/.gnupg/gpg.conf #1952

Closed
dysinger opened this issue Mar 25, 2016 · 3 comments · Fixed by #1971
Closed

Unable to extract from signature when long keys are used in ~/.gnupg/gpg.conf #1952

dysinger opened this issue Mar 25, 2016 · 3 comments · Fixed by #1971
Assignees
@dysinger
Labels
type: bug
Milestone
P1: Must

Comments

@dysinger
Copy link
Contributor

If you are using the keyid-form 0xlong the text output format changes for gpg signing.

user@computer:~/src/github.com/commercialhaskell/stack% grep -i keyid-format ~/.gnupg/gpg.conf
# keyid-format 0xlong
user@computer:~/src/github.com/commercialhaskell/stack% gpg2 --output - --detach-sig --armor /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz | gpg --verify - /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz
gpg: Signature made Fri 25 Mar 2016 01:33:35 PM PDT using RSA key ID C156F68B
gpg: Good signature from "Tim Dysinger <tim@dysinger.net>" [ultimate]
gpg:                 aka "[jpeg image of size 4356]" [ultimate]
gpg:                 aka "Tim Dysinger <dysinger@gmail.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@positiveinertia.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@knewton.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@fpcomplete.com>" [ultimate]
Primary key fingerprint: DDB9 DB7D 11B7 5D1E 8DA9  959E 11A9 6A3C 6622 290C
     Subkey fingerprint: 30C2 1B41 62E8 AB7A 4F0C  F6DF 155E 7413 C156 F68B
user@computer:~/src/github.com/commercialhaskell/stack% grep -i keyid-format ~/.gnupg/gpg.conf
keyid-format 0xlong
user@computer:~/src/github.com/commercialhaskell/stack% gpg2 --output - --detach-sig --armor /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz | gpg --verify - /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz
gpg: Signature made Fri 25 Mar 2016 01:33:49 PM PDT
gpg:                using RSA key 0x155E7413C156F68B
gpg: Good signature from "Tim Dysinger <tim@dysinger.net>" [ultimate]
gpg:                 aka "[jpeg image of size 4356]" [ultimate]
gpg:                 aka "Tim Dysinger <dysinger@gmail.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@positiveinertia.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@knewton.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@fpcomplete.com>" [ultimate]
Primary key fingerprint: DDB9 DB7D 11B7 5D1E 8DA9  959E 11A9 6A3C 6622 290C
     Subkey fingerprint: 30C2 1B41 62E8 AB7A 4F0C  F6DF 155E 7413 C156 F68B
user@computer:~/src/github.com/commercialhaskell/stack%
dysinger added a commit that referenced this issue Mar 25, 2016
@dysinger
Always use full fingerprints from GPG
e51b290 
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952
@dysinger
Copy link
Contributor Author

The GPG key-id long form doesn't work with stack. We should switch to using full fingerprints all the time.

dysinger added a commit that referenced this issue Mar 26, 2016
@dysinger
Always use full fingerprints from GPG
da98418 
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952
@dysinger
Copy link
Contributor Author

Corrected for < 7.10 and misc cleanup

@dysinger dysinger self-assigned this Mar 26, 2016
@dysinger dysinger added this to the P1: Must milestone Mar 28, 2016
@dysinger
Copy link
Contributor Author

Added P1 because it's broken right now

dysinger added a commit that referenced this issue Mar 31, 2016
@dysinger
Always use full fingerprints from GPG
a7fdc1b 
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952
This was referenced Mar 31, 2016
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dysinger dysinger

Labels
type: bug
Projects
None yet
Milestone
P1: Must
Development

Successfully merging a pull request may close this issue.

Always use full fingerprints from GPG commercialhaskell/stack
2 participants
@dysinger @borsboom