Bug#316581: project: db.debian.org not accepting key in keyring

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#316581: project: db.debian.org not accepting key in keyring
From: "Marcelo E. Magallon" <mmagallo@debian.org>
Date: Fri, 1 Jul 2005 20:17:34 -0600
Message-id: <[🔎] 20050702021734.GA20244@jacinta.casa>
Reply-to: "Marcelo E. Magallon" <mmagallo@debian.org>, 316581@bugs.debian.org

Package: project

 (Proposed solution at the end)

 I've been trying to update/change/add some information via the Mail
 Gateway to the developer's database.  Each time I get an error message
 from the gateway telling me that the key wasn't found.  The error
 message does not specify _which_ key wasn't found.  That alone is a
 bug, since it's a bad error message and is leaving the user with less
 information than before.

 Reading thru
 http://cvs.debian.org/userdir-ldap/userdir_gpg.py?rev=1.12&cvsroot=debian-admin&content-type=text/vnd.viewcvs-markup
 I guess that the function (method?) GPGCheckSig(Message) is doing
 something wrong.  From what I can understand:

       Res = GPGWriteFilter(GPGPath,GPGSigOptions,Message);

 that's calling gpg with --no-options --batch --no-default-keyring
 --secret-keyring /dev/null --always-trust --status-fd 3 {some keyring}
 --output - as the only options and feeding it the message extracted
 from my mail.  Doing that locally I see:

[GNUPG:] PLAINTEXT 74 0
gpg: Signature made Thu Jun 30 06:53:16 2005 CST using RSA key ID 8404D500
[GNUPG:] SIG_ID ignST9aX/c8PLWfzpa4lCVsKJh0 2005-06-30 1120135996
[GNUPG:] GOODSIG 7198A8208404D500 Marcelo E. Magallon <mmagallo@debian.org>
gpg: Good signature from "Marcelo E. Magallon <mmagallo@debian.org>"
[GNUPG:] VALIDSIG 9D44CA6C99DFB718AAEAF1687198A8208404D500 2005-06-30 1120135996 0 4 0 1 2 01 4389F70092A2044E83520EFE7A81833366468D05

 The fingerprint is the data that comes along with VALIDSIG.  From the
 code:

         # ValidSig has the key finger print
	 if Split[1] == "VALIDSIG":
	    KeyFinger = Split[2];

 So it's using 9D44CA6C99DFB718AAEAF1687198A8208404D500 as the
 fingerprint.  That's the fingerprint of the 8404D500 subkey.

 The morale is I can't use subkeys to talk to the mail gateway.  Doing
 this:

 $ gpg --clearsign -u '66468D05!' < zone | mail change@db.debian.org

 Solves my problem.

 As a _minimum_ to consider this bug addressed, this information should
 be added to the documentation ("The mailgateway does not support
 messages signed with subkeys, you have to use the primary key, like
 this ..."), but that doesn't fix it.

 A message signed with the primary key produces:

[GNUPG:] VALIDSIG 4389F70092A2044E83520EFE7A81833366468D05 2005-07-02 1120269865 0 4 0 17 2 01 4389F70092A2044E83520EFE7A81833366468D05

 My guess is that you want the _last_ item on that line (the primary
 key's fingerprint) and not the one right after VALIDSIG, since the LDAP
 gateway only contains the primary fingerprints.

 So... I've read my share of Python for this year, I guess that should
 up my karma back to zero or perhaps even a bit above it...

 Thanks,

 Marcelo

Reply to:

Follow-Ups:
- Bug#316581: project: db.debian.org not accepting key in keyring
  - From: Thomas Viehmann <tv@beamnet.de>

Prev by Date: [Fwd: DEBIAN SOCIOLOGICAL STUDY.]
Next by Date: Bug#316582: project: please allow dots in DNS records
Previous by thread: [Fwd: DEBIAN SOCIOLOGICAL STUDY.]
Next by thread: Bug#316581: project: db.debian.org not accepting key in keyring
Index(es):
- Date
- Thread