wrong fingerprint displayed when "fingerprint" in gpg.conf
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#239 wrong fingerprint displayed when "fingerprint" in gpg.conf
fixed
nobody
None
1.5.1
Minor
17.0.10-1~deb7u1
1.4.12
Linux
1.7.0
nobody
2014-07-10
2014-01-09
No
STEPS TO REPRODUCE:
put "fingerprint" or "with-fingerprint" in ~/.gnupg/gpg.conf,
and check in enigmail the properties of a primary key having a subkey.
EXPECTING: fingerprint of the primary key being displayed.
PROBLEM: fingerprint of the last subkey is displayed.
I can reproduce this. Thanks for the report!
Enigmail uses the following command to retrieve the key properties (relevant paramters only):
gpg --with-fingerprint --fixed-list-mode --with-colons --list-sig <key-id>
If there is a "with-fingerprint" in the gpg.conf file, then it will -among all the other key parts- print the fingerprint of first the primary and then the subkey, otherwise only the fingerprint of the primary.
Enigmail will record the last occurrence of a fingerprint line, so it shows the fingerprint of the subkey.
The question is, whether the gpg output as it is meets the expectations of the gpg developers. On the other hand, Enigmail could only record the first fingerprint in the output.
I think Enigmail should effectively use the first :fpr: line after the wanted :pub: line.
You should not add "with-fingerprint" to gpg.conf.
Enigmail expects fingerprint information for some results, but not for all. The output format in GnuPG is such that the interpretation depends on how you specify the parameters. I.e. cannot interpret the output of GnuPG 100% correctly without knowing all command line (and gpg.conf) options.
As there is no "--no-fingerprint" option for GnuPG, Enigmail expects that "with-fingerprint" is not a permanent option in gpg.conf.
https://tools.ietf.org/html/rfc4880#section-11
OpenPGP packets are assembled into sequences in order to create
messages and to transfer keys. Not all possible packet sequences are
meaningful and correct.
gpg --with-colons follows this order, and thus the first fpr: following the pub: should be taken here.
It is by the way considered best practice to add 'fingerprint' to gpg.conf :
https://we.riseup.net/debian/openpgp-best-practices#update-your-gpg-defaults
even if enigmail breaks in other places when "fingerprint" is present in gpg.conf, i don't see why we should avoid fixing the problem in this location, when the fix is clearly correct.
Fixed on trunk by Daniel's patch.
thank you all :)