Hello, On Fri 21 Feb 2025 at 04:33pm -07, Sam Hartman wrote:
>>>>>> "Sean" == Sean Whitton <spwhit...@spwhitton.name> writes: > > Sean> It's from the VALIDSIG line as documented here: > Sean> <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>. > > Sean> The text there doesn't guarantee that the fingerprint will be > Sean> the signing subkey, if there is one, but somewhat implies that > Sean> it will be. > > FWIW, I think we should explore how the data is used. > My gut feeling is that we kind of do need to tie ourselves down here for > it to be useful, and that we probably do need it to be the subkey > fingerprint to avoid users having to do a lot of extra work. > I'd be open to exploring how we think this field will be used by > people trying to audit/verify the archive, but at this time I cannot be > part of a consensus that is not specific. > > My assumption is that the value of this field is to help auditing to tie > back to a particular key or subkey. In some cases the subkey will > matter for example if we are concerned that is what is compromised. > > In cases where we still trust the tag2upload service, it would be > valuable not to have to go back to the tag itself, and so I think it is > valuable to be able to trust at an interface level that it is the subkey > we are talking about. I think you're probably right that the subkey fingerprint is more useful to have in the field, and I think that's what we're already doing. It's just that DETAILS isn't worded completely unambiguously. Did you take a look at that file? -- Sean Whitton
signature.asc
Description: PGP signature
