Mark Phippard wrote on Sun, Apr 10, 2022 at 16:02:07 -0400:
> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> >
> > Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
> > > So I was wondering how, using the gpg command. I can get the other
> > > elements we include .. such as: Stefan Sperling
> > > [2048R/4F7DBAA99A59B973]
> >
> > They're generated by release.py:get_siginfo() which is called by
> > write_announcement(), so, «release.py write-announcement» is the right
> > answer. (I just grepped for "with fingerprint:".)
> >
> > > A problem I am having is with my key. I have to run the
> > > write-announcement in my Docker image but that has an old version of
> > > GPG that does not know what to do with my key.
> >
> > Install gpg from backports, or run write-announcement elsewhere?
> > I don't see why you couldn't run it anywhere you have a wc of
> > /dist/release.
>
> Even on a system with a GnuPG that understands my key the Python
> script does not:
>
> Traceback (most recent call last):
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1917, in <module>
> main()
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1913, in main
> args.func(args)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1272, in write_announcement
> siginfo = get_siginfo(args, True)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1421, in get_siginfo
> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
> KeyError: 22
>
>
> So I was going to remove my key from the signature file, run the
> script to get the email announcement, and then put my key back. But
> then I was looking for how I could manually construct what my entry
> should look like in the email.
>
Perhaps something like this:
Index: release.py
===================================================================
--- release.py (revision 1899017)
+++ release.py (working copy)
@@ -1417,7 +1402,7 @@ def get_siginfo(args, quiet=False):
if parts[0] == 'pub':
keylen = int(parts[2])
keytype = int(parts[3])
- formatter = PUBLIC_KEY_ALGORITHMS[keytype]
+ formatter = PUBLIC_KEY_ALGORITHMS.get(keytype, lambda keylen:
"?<keytype={}, keylen={}>".format(keytype, keylen))
long_key_id = parts[4]
length_and_type = formatter(keylen) + '/' + long_key_id
del keylen, keytype, formatter, long_key_id
Or this:
Index: release.py
===================================================================
--- release.py (revision 1899017)
+++ release.py (working copy)
@@ -1326,6 +1311,7 @@ PUBLIC_KEY_ALGORITHMS = {
# The values are callables that produce gpg1-like key length and type
# indications, e.g., "4096R" for a 4096-bit RSA key.
1: (lambda keylen: str(keylen) + 'R'), # RSA
+ 22: (lambda keylen: "ed25519"), # according to gpg2; this value is not in
the IANA registry above
}
def _make_human_readable_fingerprint(fingerprint):
> I could just leave my signature out of the release too so as not to
> have downstream users need to deal with this problem.
Please don't. Anyone with an OpenPGP implementation who doesn't know
what public key algorithm 22 is should be able to ignore your signature
and only verify the others.
I suppose you could move your own signature to be last in the files, but
even for this you might want to wait until someone actually complains
about the files failing to verify.
