Hi Guillem,
Sorry, I've been swamped with other stuff then ill for the last week
or so. Looking now...
On Thu, Mar 07, 2024 at 04:22:08AM +0100, Guillem Jover wrote:
>Hi!
>
>On Wed, 2023-12-20 at 23:59:31 +0100, Guillem Jover wrote:
>> On Wed, 2023-12-20 at 15:30:24 +0000, Steve McIntyre wrote:
>> > diff --git a/src/openpgp-gpg.c b/src/openpgp-gpg.c
>> > index 4c29b7f..97ec3a4 100644
>> > --- a/src/openpgp-gpg.c
>> > +++ b/src/openpgp-gpg.c
>> > @@ -241,6 +242,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
>> > continue;
>> > if (strcmp(uid, match_id) != 0) {
>> > free(uid);
>> > + state = KEYID_SUB;
>> > continue;
>> > }
>> > free(uid);
>>
>> I think the problem with this is that if the first uid does not match,
>> then it will then switch to looking for a new fingerprint line, which
>> might then omit some valid uids.
>>
>> I've prepared a change based on this at:
>>
>>
>> https://git.hadrons.org/cgit/debian/dpkg/debsig-verify.git/log/?h=pu/openpgp-subkey
>>
>> With the assumption that one would define the policy and keyrings
>> paths based on the subkey fingerprint and not the primary public
>> certificate fingerprint, because otherwise some of the other matches
>> cannot easily match, such as uid-based ones. But wanted to check with
>> you whether that's the case before merging. Otherwise I can try to see
>> how to support all the various cases.
>
>I assume you have had no time to look into this, but I'd like to make
>sure the above branch fixes your issue before merging, and potentially
>preparing a backport for stable. :)
>
>Thanks,
>Guillem
>
--
Steve McIntyre, Cambridge, UK. st...@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
whether they're being malicious or incompetent. Capital letters are forecast."
Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
