openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible.
* guix/openpgp.scm (verify-openpgp-signature): Use 'lookup-key-by-fingerprint' when SIG contains a fingerprint. Honor FINGERPRINT in the 'find' predicate. Upon missing-key, return FINGERPRINT if available. * tests/openpgp.scm ("verify-openpgp-signature, missing key"): Adjust expected value accordingly.master
parent
efe1f0122c
commit
b45fa0a123
|
@ -564,16 +564,23 @@ the issuer's OpenPGP public key extracted from KEYRING."
|
|||
|
||||
;; TODO: Support SIGNATURE-TEXT.
|
||||
(if (= (openpgp-signature-type sig) SIGNATURE-BINARY)
|
||||
(let* ((issuer (openpgp-signature-issuer-key-id sig))
|
||||
(key-data (lookup-key-by-id keyring issuer)))
|
||||
(let* ((id (openpgp-signature-issuer-key-id sig))
|
||||
(fingerprint (openpgp-signature-issuer-fingerprint sig))
|
||||
(key-data (if fingerprint
|
||||
(lookup-key-by-fingerprint keyring fingerprint)
|
||||
(lookup-key-by-id keyring id))))
|
||||
;; Find the primary key or subkey that made the signature.
|
||||
(let ((key (find (lambda (k)
|
||||
(and (openpgp-public-key? k)
|
||||
(= (openpgp-public-key-id k) issuer)))
|
||||
(if fingerprint
|
||||
(bytevector=?
|
||||
(openpgp-public-key-fingerprint k)
|
||||
fingerprint)
|
||||
(= (openpgp-public-key-id k) id))))
|
||||
key-data)))
|
||||
(if key
|
||||
(check key sig)
|
||||
(values 'missing-key issuer))))
|
||||
(values 'missing-key (or fingerprint id)))))
|
||||
(values 'unsupported-signature sig)))
|
||||
|
||||
(define (key-id-matches-fingerprint? key-id fingerprint)
|
||||
|
|
|
@ -192,7 +192,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
|
|||
%hello-signature/ed25519/sha1)))
|
||||
|
||||
(test-equal "verify-openpgp-signature, missing key"
|
||||
`(missing-key ,%rsa-key-id)
|
||||
`(missing-key ,%rsa-key-fingerprint)
|
||||
(let* ((keyring (get-openpgp-keyring (%make-void-port "r")))
|
||||
(signature (get-openpgp-packet
|
||||
(open-bytevector-input-port
|
||||
|
|
Reference in New Issue