Bug#900444: signing-party: gpgsigs fails to fill in checksum after gpgparticipants-prefill

Wed, 30 May 2018 17:00:30 -0700 

Hello Guilhem,

On Thu, May 31, 2018 at 12:01:49AM +0200, Guilhem Moulin wrote:
> On Wed, 30 May 2018 at 23:18:55 +0200, Uwe Kleine-König wrote:
> > uwe@taurus:~/tmp$ gpgsigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 
> > uwesparty.txt | grep -A2 "SHA256 Ch"
> > Running --list-sigs, this may take a while .
> > Annotating uwesparty.txt, writing into -
> > SHA256 Checksum: 7F18 DB92   B265 CF92   9938 B4F7   5D80 999C
> > 
> >                 6697 1C2F   3DC9 D086   ACB8 469F   4A7C C7EE              
> > [ ]
> > 
> > (but this isn't really useful because the checksum is wrong).
> 
> How so?  What checksum were you expecting there?
> 
>     $ sha256sum uwesparty.txt
>     7f18db92b265cf929938b4f75d80999c66971c2f3dc9d086acb8469f4a7cc7ee  
> uwesparty.txt

Well, the sum is right for uwesparty.txt, but the motivation to report
this bug was that I got a file with the SHA256 partially filled in. So
gpgsigs is right for the unfilled file. I claimed this to be still wrong
because the "official" list in my case was prefilled.

> > With gpgsigs/stretch it works fine.
> 
> It was never designed this way, so I don't consider the new behavior to
> be a regression hence downgraded the severity to ‘wishlist’.  In fact
> gpgsigs from signing-party 2.5-1 prints a warning and fills in the wrong
> fingerprint:
> 
>     $ gpgsigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 uwesparty.txt.01bdf8 | 
> grep -A2 "SHA256 Ch"
>     Running --list-sigs, this may take a while .
>     Annotating uwesparty.txt.01bdf8, writing into -
>     Redundant argument in sprintf at gpgsigs line 402, <TXT> line 27.
>     SHA256 Checksum: 01BD F801   BDF8 B438   F326 6A35   C887 E6E1
> 
> 
>                      AC66 45F8   D486 0A85   486E 6EA4   0EBB 3A73            
>   [ ]
> 
>     $ sha256sum uwesparty.txt.01bdf8
>     01bdf8b438f3266a35c887e6e1ac6645f8d4860a85486e6ea40ebb3a73f59fdd  
> uwesparty.txt.01bdf8
> 
> That is, you have the first 3 digests bytes (6 hexdigits) followed with
> digest bytes 0-28.  Thus bytes 0-2 are repeated and bytes 29-31 are
> missing.

Ah, probably I didn't check carefully enough here then. So that's not a
regression as I first thought.

Best regards
Uwe

Attachment: signature.asc
Description: PGP signature

Reply via email to