To support the bug title, I did a comparison of the different OpenPGP implementations for all the upstream signed tags for src:linux.
Git normally wants to run gpg and expects any alternative to implement
the same options and output format, so I implemented wrapper scripts to
make it work with the different verifier commands all using
debian/upstream/signing-key.asc as the keyring.
In this case the keyring contains:
pub rsa4096/38DBBDC86092693E 2011-09-23 [SC]
647F28654894E3BD457199BE38DBBDC86092693E
uid [ unknown] Greg Kroah-Hartman (Linux kernel stable release
signing key) <[email protected]>
sub rsa4096/F38153E276D54749 2011-09-23 [E]
pub rsa2048/79BE3E4300411886 2011-09-20 [SC]
ABAF11C65A2970B130ABE3C479BE3E4300411886
uid [ unknown] Linus Torvalds <[email protected]>
sub rsa2048/88BCE80F012F54CA 2011-09-20 [E]
pub rsa4096/E7BFC8EC95861109 2009-07-12 [SC]
AC2B29BD34A6AFDDB3F68F35E7BFC8EC95861109
uid [ unknown] Ben Hutchings (DOB: 1977-01-11)
uid [ unknown] Ben Hutchings <[email protected]>
uid [ unknown] Ben Hutchings <[email protected]>
sub rsa4096/CF0469521357C3D7 2009-07-12 [E]
pub rsa4096/DEA66FF797772CDC 2012-02-09 [SC]
E27E5D8A3403A2EF66873BBCDEA66FF797772CDC
uid [ unknown] Sasha Levin <[email protected]>
uid [ unknown] Sasha Levin <[email protected]>
uid [ unknown] Sasha Levin <[email protected]>
uid [ unknown] Sasha Levin <[email protected]>
sub rsa4096/D0065D755EB09DBB 2012-02-09 [E]
The numbers of tags accepted per ID and verifier are:
ID gpgv rsopv sqopv
-------------------------------------------------------------------
Greg Kroah-Hartman <[email protected]> 3683 3553 0
Greg Kroah-Hartman <[email protected]> 36 36 0
Linus Torvalds <[email protected]> 644 452 0
Ben Hutchings <[email protected]> 137 137 68
Sasha Levin <[email protected]> 41 41 41
Sasha Levin <[email protected]> 4 4 4
Sasha Levin <[email protected]> 27 0 0
Sasha Levin <[email protected]> 39 0 0
There is already some disagreement between gpgv and rsopv, but the large
majority of tags are accepted by both. But sqopv rejects *all*
signatures made by Greg or Linus, and by some of Sasha's IDs. (It also
rejects some of mine, but it appears that those are all v3 signatures
which I don't care about.)
Ben.
--
Ben Hutchings
Any smoothly functioning technology is indistinguishable
from a rigged demo.
signature.asc
Description: This is a digitally signed message part

