On Thu, Dec 23, 2021 at 11:34 PM Allan McRae <[email protected]> wrote: > > I'm not a fan of the idea that if a user has a handful of non-distro > repositories configured, that every package signature would need checked > against multiple keys until one passed. Is there no way of identifying > the correct signing key from the signature file? >
Yeah, I believe there is. Here's the contents of a generated public key: asignify-pubkey:1:mtG16Izr+xQ=:FlDRmIlYxCG0QAm7Jjmf/im62EBfg2nCpwzGPpkq+30= And here's the contents of the sig file made using the corresponding private key: asignify-sig:1:mtG16Izr+xQ=:txEF3fQ/gaBAVCi8WpDICWn9i7gqgfJXp/viJDQeeETfbZTheIXHitmXv9Z+RQO9dYQDkJ6AMZt/xTU1/lWlDQ== BLAKE2 (test.c) = f8222a69bb9672b76ad7cc8776902a4b5bdde47b64040cd6febe798df3c7545a1f86e1ae94898f63fe94e3cabb91cda359be6b12edddcccd95ef5fd965349600 So it looks like third field on the first line is a fingerprint for the key. JH
