Patchwork gpg: print unknown key IDs in their entirety

login
register
mail settings
Submitter Josef 'Jeff' Sipek
Date Feb. 11, 2018, 11:59 p.m.
Message ID <0c3e67adde02590c1d88.1518393540@meili>
Download mbox | patch
Permalink /patch/27599/
State Accepted
Headers show

Comments

Josef 'Jeff' Sipek - Feb. 11, 2018, 11:59 p.m.
# HG changeset patch
# User Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
# Date 1518391957 18000
#      Sun Feb 11 18:32:37 2018 -0500
# Node ID 0c3e67adde02590c1d8882ba7050d19ff41ba7ff
# Parent  f91b7f26c68ac87961aa6ef883ba96e5a2822ad3
gpg: print unknown key IDs in their entirety

Shortening the key is nice in theory but it results in ambiguity which can
be exploited.  Therefore, when encountering an unknown key ID we should
print the whole ID returned by gpg.  This may or may not be the whole key,
however it will match the user preference set in gpg configuration.

Furthermore, the key ID shortening had a couple of issues:

(1) it truncated the key ID (dropping the last digit and outputting only 15
    hex digits) making it very hard to find the correct key on a key server

(2) since only 15 digits were fed into shortkey(), it always emitted the
    ui.debug() warning
Yuya Nishihara - Feb. 12, 2018, 12:21 a.m.
On Sun, 11 Feb 2018 18:59:00 -0500, Josef 'Jeff' Sipek wrote:
> # HG changeset patch
> # User Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
> # Date 1518391957 18000
> #      Sun Feb 11 18:32:37 2018 -0500
> # Node ID 0c3e67adde02590c1d8882ba7050d19ff41ba7ff
> # Parent  f91b7f26c68ac87961aa6ef883ba96e5a2822ad3
> gpg: print unknown key IDs in their entirety
> 
> Shortening the key is nice in theory but it results in ambiguity which can
> be exploited.  Therefore, when encountering an unknown key ID we should
> print the whole ID returned by gpg.  This may or may not be the whole key,
> however it will match the user preference set in gpg configuration.
> 
> Furthermore, the key ID shortening had a couple of issues:
> 
> (1) it truncated the key ID (dropping the last digit and outputting only 15
>     hex digits) making it very hard to find the correct key on a key server
> 
> (2) since only 15 digits were fed into shortkey(), it always emitted the
>     ui.debug() warning

There seemed no practical reason we had to shorten an unknown key.
Queued, thanks.

Patch

diff --git a/hgext/gpg.py b/hgext/gpg.py
--- a/hgext/gpg.py
+++ b/hgext/gpg.py
@@ -153,8 +153,7 @@  def getkeys(ui, repo, mygpg, sigdata, co
     # warn for expired key and/or sigs
     for key in keys:
         if key[0] == "ERRSIG":
-            ui.write(_("%s Unknown key ID \"%s\"\n")
-                     % (prefix, shortkey(ui, key[1][:15])))
+            ui.write(_("%s Unknown key ID \"%s\"\n") % (prefix, key[1]))
             continue
         if key[0] == "BADSIG":
             ui.write(_("%s Bad signature from \"%s\"\n") % (prefix, key[2]))
@@ -320,13 +319,6 @@  def _dosign(ui, repo, *revs, **opts):
     except ValueError as inst:
         raise error.Abort(str(inst))
 
-def shortkey(ui, key):
-    if len(key) != 16:
-        ui.debug("key ID \"%s\" format error\n" % key)
-        return key
-
-    return key[-8:]
-
 def node2txt(repo, node, ver):
     """map a manifest into some text"""
     if ver == "0":