Hi, On Thu, Sep 28, 2017 at 08:50:55PM +0200, Lukas Schwaighofer wrote: > Package: devscripts > Version: 2.17.10 > Severity: minor > > Hi, > > the uscan(1) man page states: > > Please note that the short keyid 72543FAF is the last 4 Bytes, the > long keyid C77E2D6872543FAF is the last 8 Bytes, and the finger > print is the last 20 Bytes of the public key in hexadecimal form. > (...) > > However, the fingerprint is not the last 20 Bytes of the public key, > but instead (for V4 keys) the hexadecimal representation of the SHA-1 > hash of the public key (and some additional data [1]). > > The short/long keyids are the last 4/8 Bytes of the same hash in hex.
Correct. I was sloppy mixing the "the public key" and "the hush calculated from the public key". Let's not even use word hush. KEYRING FILE EXAMPLES Let's assume that the upstream "uscan test key (no secret) <[email protected]>" signs its package with a secret OpenPGP key and publishes the corresponding public OpenPGP key. This public OpenPGP key can be identified in 3 ways using the hexadecimal form. · The fingerprint as the 20 byte data calculated from the public OpenPGP key. E. g., 'CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF' · The long keyid as the last 8 byte data of the fingerprint. E. g., 'C77E2D6872543FAF' · The short keyid is the last 4 byte data of the fingerprint. E. g., '72543FAF' Considering the existence of the collision attack on the short keyid, the use of the long keyid is recommended for receiving keys from the public key servers. You must verify the downloaded OpenPGP key using its full fingerprint value which you know is the trusted one. Osamu _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
