[Rpm-maint] [rpm-software-management/rpm] Fingerprint subpacket parsing support (#1728)

Justus Winter notifications at github.com
Fri Feb 4 11:44:41 UTC 2022


> Fingerprint packet parsing support

ITYM issuer fingerprint subpacket parsing support.

> GPG uses packet type 33 for fingerprint packets, which contain the full
> fingerprint of a key.  Obtain the key ID from those whenever possible.

That makes it sound like it is a proprietary extension by a single vendor when in fact this enjoys broad support from implementations and I can say with confidence that the issuer fingerprint subpacket will be in the next revision of RFC4880 in this form.

> If a key ID packet and a fingerprint packet are both found, they are
> checked to be consistent with each other.  If they are not, the
> signature is rejected.

That is not correct.  Issuer and issuer fingerprint packets are hints that clients use to look up keys.  The client should use all those hints, and if they yield a signing key, try to verify the signature.

The standard explicitly says that issuer information can apparently be conflicting: https://openpgp-wg.gitlab.io/rfc4880bis/#section-5.2.4.1-2

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1728#issuecomment-1029913400
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1728/c1029913400 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220204/e89bdaf1/attachment.html>


More information about the Rpm-maint mailing list