Skip to content

pgp: don't shorten key fingerprints #1522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tilpner wants to merge 1 commit into from
Closed

pgp: don't shorten key fingerprints #1522

tilpner wants to merge 1 commit into from

Conversation

@tilpner
Copy link

@tilpner tilpner commented Jun 6, 2024

As @mammothbane already identified in #1365, the pgp module is stripping the trailing exclamation mark from fingerprints that pgp uses to identify specific subkeys.
Because the shortened fingerprint refers to the whole key instead of just the subkey, I can't decrypt any secrets I encrypt for that subkey.

According to the doc comment, this was meant for compatibility with older GPG versions. I don't know which incompatibilities @hiddeco was referring to here, or if they are still relevant.

sops/pgp/keysource.go

Lines 633 to 635 in 1c46d24

// shortenFingerprint returns the short ID of the given fingerprint.
// This is mostly used for compatibility reasons, as older versions of GnuPG
// do not always like long IDs.

Fixes #1365

@tilpner tilpner force-pushed the dont-shorten-key-ids branch 2 times, most recently from 685c48e to 3068ed0 Compare June 6, 2024 20:30
@felixfontein felixfontein requested a review from hiddeco June 6, 2024 20:46
@tilpner
pgp: don't shorten key fingerprints
574bc8c 
If shortening fingerprints, the trailing '!' from subkey fingerprints is removed,
and the wrong key is selected later on, potentially resulting in just-created secrets
not being decryptable.

Fixes getsops#1365

Signed-off-by: tilpner <[email protected]>
@tilpner tilpner force-pushed the dont-shorten-key-ids branch from 3068ed0 to 574bc8c Compare June 14, 2024 13:16
@felixfontein felixfontein mentioned this pull request Dec 24, 2024
Closed
@felixfontein
Copy link
Contributor

felixfontein commented Dec 24, 2024

According to the doc comment, this was meant for compatibility with older GPG versions. I don't know which incompatibilities @hiddeco was referring to here, or if they are still relevant.

I also don't know whether this is still needed, but to avoid breaking changes for users I've created a PR which keeps the trimming, but makes sure to handle ! correctly: #1720

I think eventually we should remove the trimming function (as implemented in this PR), but I'm not sure when it's time to do that. Though definitely not in a bugfix release :)

@Luflosi
Copy link

Luflosi commented Mar 13, 2025

Since the original problem this PR aimed to fix was solved by #1720, I think this can be closed.

@tilpner tilpner closed this Mar 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hiddeco hiddeco Awaiting requested review from hiddeco

Assignees

No one assigned

Labels

area/keyservice keyservice/pgp

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

unable to force specific gpg subkey

3 participants

@tilpner @felixfontein @Luflosi