On Wed, Jan 27, 2016 at 09:09:31PM +0100, Michael J Gruber wrote: > "subkey" and "uid" are different things. You bind a subkey to your > primary key with that self-signature. subkeys don't carry any other > signatures. > > A primary key "carries" the uids, and whenever someone "signs your key" > they in fact sign a specific uid - usually all, resulting in multiple > signatures, one for each uid of the (primary) key. > > A key is usually considered trusted if it carries "a" signature from a > trusted key. > > So, assuming my key carries a signature from a trusted key to at least > one uid, it would be trusted no matter what (fake) uids I add to it later.
Right. I think I didn't do a good job of explaining myself earlier, so let me try to rephrase. When we look at the v2.7 tag, GPG sees that we are signed by Junio's subkey, 96AFE6CB. It then knows that belongs to the main public key 713660A7, because the main key signed the subkey. And then it sees that there are several uids for that main key, each with their own signatures by other people. So of the three uids that I have for that key: pub 4096R/713660A7 2011-10-01 uid Junio C Hamano <gits...@pobox.com> uid Junio C Hamano <j...@google.com> uid Junio C Hamano <ju...@pobox.com> it reports back to git only one (the pobox.com), which we relay to the user via --raw. If we wanted to check that the key matches the "tagger" header, that works. But why did gpg return that first uid, and not any of the others? We would ideally see all of them, and consider it OK if it matches any uid (assuming that uid is sufficiently signed for gpg to consider it valid). Weirder, if you _don't_ use "--raw", the human-readable output gives us all of the uids as "aka" lines: $ git verify-tag v2.7.0 $ git verify-tag v2.7.0 gpg: Signature made Mon 04 Jan 2016 05:08:12 PM EST using RSA key ID 96AFE6CB gpg: Good signature from "Junio C Hamano <gits...@pobox.com>" gpg: aka "Junio C Hamano <j...@google.com>" gpg: aka "Junio C Hamano <ju...@pobox.com>" $ git verify-tag --raw v2.7.0 [GNUPG:] SIG_ID xFANmHj+QJ1gwIcoRuT5BF/y8H4 2016-01-04 1451945292 [GNUPG:] GOODSIG B0B5E88696AFE6CB Junio C Hamano <gits...@pobox.com> [GNUPG:] VALIDSIG E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB 2016-01-04 1451945292 0 4 0 1 2 00 96E07AF25771955980DAD10020D04E5A713660A7 [GNUPG:] TRUST_FULLY It seems like we should be able to get the raw-output to tell us all of those uids. I guess it is not the end of the world to go back to gpg and say "give me all of the valid uids that match this signing key", but it seems silly to have to do so. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
