Bug#316581: project: db.debian.org not accepting key in keyring
Package: project
(Proposed solution at the end)
I've been trying to update/change/add some information via the Mail
Gateway to the developer's database. Each time I get an error message
from the gateway telling me that the key wasn't found. The error
message does not specify _which_ key wasn't found. That alone is a
bug, since it's a bad error message and is leaving the user with less
information than before.
Reading thru
http://cvs.debian.org/userdir-ldap/userdir_gpg.py?rev=1.12&cvsroot=debian-admin&content-type=text/vnd.viewcvs-markup
I guess that the function (method?) GPGCheckSig(Message) is doing
something wrong. From what I can understand:
Res = GPGWriteFilter(GPGPath,GPGSigOptions,Message);
that's calling gpg with --no-options --batch --no-default-keyring
--secret-keyring /dev/null --always-trust --status-fd 3 {some keyring}
--output - as the only options and feeding it the message extracted
from my mail. Doing that locally I see:
[GNUPG:] PLAINTEXT 74 0
gpg: Signature made Thu Jun 30 06:53:16 2005 CST using RSA key ID 8404D500
[GNUPG:] SIG_ID ignST9aX/c8PLWfzpa4lCVsKJh0 2005-06-30 1120135996
[GNUPG:] GOODSIG 7198A8208404D500 Marcelo E. Magallon <mmagallo@debian.org>
gpg: Good signature from "Marcelo E. Magallon <mmagallo@debian.org>"
[GNUPG:] VALIDSIG 9D44CA6C99DFB718AAEAF1687198A8208404D500 2005-06-30 1120135996 0 4 0 1 2 01 4389F70092A2044E83520EFE7A81833366468D05
The fingerprint is the data that comes along with VALIDSIG. From the
code:
# ValidSig has the key finger print
if Split[1] == "VALIDSIG":
KeyFinger = Split[2];
So it's using 9D44CA6C99DFB718AAEAF1687198A8208404D500 as the
fingerprint. That's the fingerprint of the 8404D500 subkey.
The morale is I can't use subkeys to talk to the mail gateway. Doing
this:
$ gpg --clearsign -u '66468D05!' < zone | mail change@db.debian.org
Solves my problem.
As a _minimum_ to consider this bug addressed, this information should
be added to the documentation ("The mailgateway does not support
messages signed with subkeys, you have to use the primary key, like
this ..."), but that doesn't fix it.
A message signed with the primary key produces:
[GNUPG:] VALIDSIG 4389F70092A2044E83520EFE7A81833366468D05 2005-07-02 1120269865 0 4 0 17 2 01 4389F70092A2044E83520EFE7A81833366468D05
My guess is that you want the _last_ item on that line (the primary
key's fingerprint) and not the one right after VALIDSIG, since the LDAP
gateway only contains the primary fingerprints.
So... I've read my share of Python for this year, I guess that should
up my karma back to zero or perhaps even a bit above it...
Thanks,
Marcelo
Reply to: