Hi!
On Wed, 2023-12-20 at 23:59:31 +0100, Guillem Jover wrote:
> On Wed, 2023-12-20 at 15:30:24 +0000, Steve McIntyre wrote:
> > diff --git a/src/openpgp-gpg.c b/src/openpgp-gpg.c
> > index 4c29b7f..97ec3a4 100644
> > --- a/src/openpgp-gpg.c
> > +++ b/src/openpgp-gpg.c
> > @@ -241,6 +242,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
> > continue;
> > if (strcmp(uid, match_id) != 0) {
> > free(uid);
> > + state = KEYID_SUB;
> > continue;
> > }
> > free(uid);
>
> I think the problem with this is that if the first uid does not match,
> then it will then switch to looking for a new fingerprint line, which
> might then omit some valid uids.
>
> I've prepared a change based on this at:
>
>
> https://git.hadrons.org/cgit/debian/dpkg/debsig-verify.git/log/?h=pu/openpgp-subkey
>
> With the assumption that one would define the policy and keyrings
> paths based on the subkey fingerprint and not the primary public
> certificate fingerprint, because otherwise some of the other matches
> cannot easily match, such as uid-based ones. But wanted to check with
> you whether that's the case before merging. Otherwise I can try to see
> how to support all the various cases.
I assume you have had no time to look into this, but I'd like to make
sure the above branch fixes your issue before merging, and potentially
preparing a backport for stable. :)
Thanks,
Guillem
