Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pgp: don't shorten key fingerprints #1522

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

tilpner
Copy link

@tilpner tilpner commented Jun 6, 2024

As @mammothbane already identified in #1365, the pgp module is stripping the trailing exclamation mark from fingerprints that pgp uses to identify specific subkeys.
Because the shortened fingerprint refers to the whole key instead of just the subkey, I can't decrypt any secrets I encrypt for that subkey.

According to the doc comment, this was meant for compatibility with older GPG versions. I don't know which incompatibilities @hiddeco was referring to here, or if they are still relevant.

sops/pgp/keysource.go

Lines 633 to 635 in 1c46d24

// shortenFingerprint returns the short ID of the given fingerprint.
// This is mostly used for compatibility reasons, as older versions of GnuPG
// do not always like long IDs.

Fixes #1365

@tilpner tilpner force-pushed the dont-shorten-key-ids branch 2 times, most recently from 685c48e to 3068ed0 Compare June 6, 2024 20:30
@felixfontein felixfontein requested a review from hiddeco June 6, 2024 20:46
If shortening fingerprints, the trailing '!' from subkey fingerprints is removed,
and the wrong key is selected later on, potentially resulting in just-created secrets
not being decryptable.

Fixes getsops#1365

Signed-off-by: tilpner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

unable to force specific gpg subkey
1 participant