diff options
author | Ludovic Courtès <ludo@gnu.org> | 2020-04-26 23:27:36 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-05-04 09:56:12 +0200 |
commit | b45fa0a123bec8d023e5520dfb381bfc73313929 (patch) | |
tree | 65b5f582f26f1d6de55269348588abcb3a7e1c51 | |
parent | efe1f0122c61b8932671d07419f0200c170a994e (diff) | |
download | patches-b45fa0a123bec8d023e5520dfb381bfc73313929.tar patches-b45fa0a123bec8d023e5520dfb381bfc73313929.tar.gz |
openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible.
* guix/openpgp.scm (verify-openpgp-signature): Use
'lookup-key-by-fingerprint' when SIG contains a fingerprint.
Honor FINGERPRINT in the 'find' predicate. Upon missing-key, return
FINGERPRINT if available.
* tests/openpgp.scm ("verify-openpgp-signature, missing key"): Adjust
expected value accordingly.
-rw-r--r-- | guix/openpgp.scm | 15 | ||||
-rw-r--r-- | tests/openpgp.scm | 2 |
2 files changed, 12 insertions, 5 deletions
diff --git a/guix/openpgp.scm b/guix/openpgp.scm index 8479f8a168..a871eb1a16 100644 --- a/guix/openpgp.scm +++ b/guix/openpgp.scm @@ -564,16 +564,23 @@ the issuer's OpenPGP public key extracted from KEYRING." ;; TODO: Support SIGNATURE-TEXT. (if (= (openpgp-signature-type sig) SIGNATURE-BINARY) - (let* ((issuer (openpgp-signature-issuer-key-id sig)) - (key-data (lookup-key-by-id keyring issuer))) + (let* ((id (openpgp-signature-issuer-key-id sig)) + (fingerprint (openpgp-signature-issuer-fingerprint sig)) + (key-data (if fingerprint + (lookup-key-by-fingerprint keyring fingerprint) + (lookup-key-by-id keyring id)))) ;; Find the primary key or subkey that made the signature. (let ((key (find (lambda (k) (and (openpgp-public-key? k) - (= (openpgp-public-key-id k) issuer))) + (if fingerprint + (bytevector=? + (openpgp-public-key-fingerprint k) + fingerprint) + (= (openpgp-public-key-id k) id)))) key-data))) (if key (check key sig) - (values 'missing-key issuer)))) + (values 'missing-key (or fingerprint id))))) (values 'unsupported-signature sig))) (define (key-id-matches-fingerprint? key-id fingerprint) diff --git a/tests/openpgp.scm b/tests/openpgp.scm index eac2e88f74..cc5e6cbcf7 100644 --- a/tests/openpgp.scm +++ b/tests/openpgp.scm @@ -192,7 +192,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0= %hello-signature/ed25519/sha1))) (test-equal "verify-openpgp-signature, missing key" - `(missing-key ,%rsa-key-id) + `(missing-key ,%rsa-key-fingerprint) (let* ((keyring (get-openpgp-keyring (%make-void-port "r"))) (signature (get-openpgp-packet (open-bytevector-input-port |