Web lists-archives.com

Re: [PATCH 2/2] t/t7510-signed-commit.sh: add signing subkey to Eris Discordia key

On Mon, 2018-11-05 at 10:08 +0900, Junio C Hamano wrote:
> Michał Górny <mgorny@xxxxxxxxxx> writes:
> > > It's my understanding that GnuPG will use the most recent subkey
> > > suitable for a particular purpose, and I think the test relies on that
> > > behavior.  However, I'm not sure that's documented.  Do we want to rely
> > > on that behavior or be more explicit?  (This is a question, not an
> > > opinion.)
> > 
> > To be honest, I don't recall which suitable subkey is used.  However, it
> > definitely will prefer a subkey with signing capabilities over
> > the primary key if one is present, and this is well-known and expected
> > behavior.
> > 
> > In fact, if you have a key with two signing subkeys A and B and it
> > considers A better, then even if you explicitly pass keyid of B, it will
> > use A.  To force another subkey you have to append '!' to keyid.
> > 
> > Therefore, I think this is a behavior we can rely on.
> I didn't check how the signing key configuration is done in the test
> sript (which is outside the patch context), but do you mean that we
> create these signed objects by specifying which key to use with a
> keyid with "!"  appended?  If so I agree that would make sense,
> because we would then know which subkey should be used for signing
> and checking with %GF/%GP would be a good way to do so.

No, we don't have duplicate subkeys to be required to use that.  Some of
the tests use explicit '-S<keyid>' to force using the other key; other
seem to use a default key (I can't find a place where the default would
be set, so I suppose it's GnuPG default).

Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part