pgp: don't shorten key fingerprints

If shortening fingerprints, the trailing '!' from subkey fingerprints is removed,
and the wrong key is selected later on, potentially resulting in just-created secrets
not being decryptable.

Fixes #1365

Signed-off-by: tilpner <git@tilpner.com>

Author: tilpner

pgp/keysource.go

@@ -321,8 +321,6 @@ func (key *MasterKey) encryptWithOpenPGP(dataKey []byte) error {
 // PGP key that belongs to Fingerprint. It sets EncryptedDataKey, or returns
 // an error.
 func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error {
-	fingerprint := shortenFingerprint(key.Fingerprint)
-
 	args := []string{
 		"--no-default-recipient",
 		"--yes",
@@ -331,7 +329,7 @@ func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error {
 		"-r",
 		key.Fingerprint,
 		"--trusted-key",
-		fingerprint,
+		key.Fingerprint,
 		"--no-encrypt-to",
 	}
 	stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey))
@@ -629,13 +627,3 @@ func gnuPGHome(customPath string) string {
 	}
 	return dir
 }
-
-// shortenFingerprint returns the short ID of the given fingerprint.
-// This is mostly used for compatibility reasons, as older versions of GnuPG
-// do not always like long IDs.
-func shortenFingerprint(fingerprint string) string {
-	if offset := len(fingerprint) - 16; offset > 0 {
-		fingerprint = fingerprint[offset:]
-	}
-	return fingerprint
-}

pgp/keysource_test.go

@@ -338,18 +338,16 @@ func TestMasterKey_Decrypt(t *testing.T) {
 	})
 	assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
-	fingerprint := shortenFingerprint(mockFingerprint)
-
 	data := []byte("this data is absolutely top secret")
 	stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 		"--no-default-recipient",
 		"--yes",
 		"--encrypt",
 		"-a",
 		"-r",
-		fingerprint,
+		mockFingerprint,
 		"--trusted-key",
-		fingerprint,
+		mockFingerprint,
 		"--no-encrypt-to",
 	}, bytes.NewReader(data))
 	assert.Nil(t, err)
@@ -421,18 +419,16 @@ func TestMasterKey_decryptWithOpenPGP(t *testing.T) {
 		})
 		assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
-		fingerprint := shortenFingerprint(mockFingerprint)
-
 		data := []byte("this data is absolutely top secret")
 		stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 			"--no-default-recipient",
 			"--yes",
 			"--encrypt",
 			"-a",
 			"-r",
-			fingerprint,
+			mockFingerprint,
 			"--trusted-key",
-			fingerprint,
+			mockFingerprint,
 			"--no-encrypt-to",
 		}, bytes.NewReader(data))
 		assert.Nil(t, err)
@@ -470,18 +466,16 @@ func TestMasterKey_decryptWithGnuPG(t *testing.T) {
 		})
 		assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
-		fingerprint := shortenFingerprint(mockFingerprint)
-
 		data := []byte("this data is absolutely top secret")
 		stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 			"--no-default-recipient",
 			"--yes",
 			"--encrypt",
 			"-a",
 			"-r",
-			fingerprint,
+			mockFingerprint,
 			"--trusted-key",
-			fingerprint,
+			mockFingerprint,
 			"--no-encrypt-to",
 		}, bytes.NewReader(data))
 		assert.Nil(t, err)
@@ -696,13 +690,6 @@ func Test_gnuPGHome(t *testing.T) {
 	assert.Equal(t, customP, gnuPGHome(customP))
 }
 
-func Test_shortenFingerprint(t *testing.T) {
-	shortId := shortenFingerprint(mockFingerprint)
-	assert.Equal(t, "9732075EA221A7EA", shortId)
-
-	assert.Equal(t, shortId, shortenFingerprint(shortId))
-}
-
 // TODO(hidde): previous tests kept around for now.
 
 func TestPGP(t *testing.T) {