Bug#877104: uscan: Wrong information regarding OpenPGP fingerprints in man page
Osamu Aoki
osamu at debian.org
Fri Sep 29 13:40:37 UTC 2017
Hi,
On Thu, Sep 28, 2017 at 08:50:55PM +0200, Lukas Schwaighofer wrote:
> Package: devscripts
> Version: 2.17.10
> Severity: minor
>
> Hi,
>
> the uscan(1) man page states:
>
> Please note that the short keyid 72543FAF is the last 4 Bytes, the
> long keyid C77E2D6872543FAF is the last 8 Bytes, and the finger
> print is the last 20 Bytes of the public key in hexadecimal form.
> (...)
>
> However, the fingerprint is not the last 20 Bytes of the public key,
> but instead (for V4 keys) the hexadecimal representation of the SHA-1
> hash of the public key (and some additional data [1]).
>
> The short/long keyids are the last 4/8 Bytes of the same hash in hex.
Correct. I was sloppy mixing the "the public key" and "the hush
calculated from the public key". Let's not even use word hush.
KEYRING FILE EXAMPLES
Let's assume that the upstream "uscan test key (no secret) <none at debian.org>"
signs its package with a secret OpenPGP key and publishes the corresponding
public OpenPGP key. This public OpenPGP key can be identified in 3 ways using
the hexadecimal form.
· The fingerprint as the 20 byte data calculated from the public OpenPGP key.
E. g., 'CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF'
· The long keyid as the last 8 byte data of the fingerprint. E. g.,
'C77E2D6872543FAF'
· The short keyid is the last 4 byte data of the fingerprint. E. g., '72543FAF'
Considering the existence of the collision attack on the short keyid, the use
of the long keyid is recommended for receiving keys from the public key
servers. You must verify the downloaded OpenPGP key using its full fingerprint
value which you know is the trusted one.
Osamu
More information about the devscripts-devel
mailing list