> Here my findings so far:
Thanks for working on this! A few comments:
> ### PGP KeyID and FingerPrint usage in RPM
>
> * PGP Fingerprint: 20 or 32 bytes hash of public key (depending on key
> algorithm)
To clarify: v4 fingerprints are 20 bytes and v6 fingerprints are 32 bytes. So,
it depends on the key *version*.
> * (Long) KeyId: last 8 bytes of Fingerprint
Except for v6 keys where it is the first 8 bytes...
> Signatures only return KeyID. Fingerprint just not available for v3 PGP sigs.
> v4 PGP signatures contain Fingerprint but RPM does of have any means to get
> them right now. We could get the Fingerprint from the matching key - if
> available.
Technically, the fingerprint (or key ID) is only known after the signature is
verified. At that point we know what certificate made the signature and can
derive the fingerprint.
The issue that you are hinting at is that a signature may contain a key ID or a
fingerprint. As this is unauthenticated, this is purely hearsay, and we should
avoid using it. Of course, if we can't verify a signature, then we have to use
it...
> * Short KeyID as Version and Creation time as release
Using the key ID (or the fingerprint) as the version is problematic as a
certificate can change (e.g., get a new subkey, have its expiration changed)
without the fingerprint being changed.
> Support for subkeys seems very rudimentary.
>
> * No way to list installed subkeys.
>
> * No way to connect sub keys to gpg-pubkey packages
>
> * pgpPubkeyFingerprint() only works on raw key data and returns the
> Fingerprint of the primary key
In general, I think that subkeys should be treated as an implementation detail.
If at all possible they should *not* be shown to users. And, I don't think it
is necessary for users to be able to address certificates by subkey
fingerprints; they should use the certificate's fingerprint.
> ### ToDo
> * API: Add variant of pgpPubkeyFingerprint() that works for sub keys, too.
What's the use case?
> * Offer a way to get information on the actually installed keys e.g.
>
> * Fingerprint format for pubkeys tag to get actual
> Fingerprint of installed key(s)
> * PGP key format that gives rpm -qi like output of the actual keys
> * Add --list to rpmkeys utility
Perhaps add a `--dump-keyring` (feel free to bikeshed the name), which dumps
all of the keys. This would make it easy to inspect the certificates using
something like `sq`.
> * Support multiple entries per KeyId in keyring
What's the motivation for this?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2403#issuecomment-2355080062
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2403/2355080...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
