Author: danielsh Date: Thu Jun 29 02:46:14 2017 New Revision: 1800221 URL: http://svn.apache.org/viewvc?rev=1800221&view=rev Log: release.py: Don't use 32-bit key id's (= truncated fingerprints) either internally or in the generated output.
* tools/dist/release.py (get_siginfo): Use the full fingerprint internally and a 64-bit short format in the output, alongside the full fingerprint. Modified: subversion/trunk/tools/dist/release.py Modified: subversion/trunk/tools/dist/release.py URL: http://svn.apache.org/viewvc/subversion/trunk/tools/dist/release.py?rev=1800221&r1=1800220&r2=1800221&view=diff ============================================================================== --- subversion/trunk/tools/dist/release.py (original) +++ subversion/trunk/tools/dist/release.py Thu Jun 29 02:46:14 2017 @@ -840,7 +840,7 @@ def get_siginfo(args, quiet=False): os.unlink(fn) if verified.valid: - good_sigs[verified.key_id[-8:]] = True + good_sigs[verified.fingerprint] = True else: sys.stderr.write("BAD SIGNATURE for %s\n" % filename) if verified.key_id: @@ -848,7 +848,10 @@ def get_siginfo(args, quiet=False): sys.exit(1) for id in good_sigs.keys(): - gpg = subprocess.Popen(['gpg', '--fingerprint', id], + # Most potential signers have public short keyid (32-bit) collisions in + # the https://evil32.com/ set, which has been uploaded to the + # keyservers, so generate the long keyid. + gpg = subprocess.Popen(['gpg', '--keyid-format', 'long', '--fingerprint', id], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) rc = gpg.wait() gpg_output = gpg.stdout.read()