Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lib/Horde/Crypt/Pgp.php: Shorten long PGP key IDs to 16 digits (inste… #6

Merged
merged 1 commit into from
Nov 17, 2022
Merged

lib/Horde/Crypt/Pgp.php: Shorten long PGP key IDs to 16 digits (inste… #6

merged 1 commit into from
Nov 17, 2022

Conversation

sunweaver
Copy link
Contributor

…ad of deprecated 8 digits).

Newer keyserver implementations return a "400 Bad Request" error if
8-digit-key-IDs are queried (e.g. keys.openpgp.org).

@sunweaver
lib/Horde/Crypt/Pgp.php: Shorten long PGP key IDs to 16 digits (inste…
18a0d5f 
…ad of deprecated 8 digits).

 Newer keyserver implementations return a "400 Bad Request" error if
 8-digit-key-IDs are queried (e.g. keys.openpgp.org).
@yunosh
Copy link
Member

yunosh commented Nov 17, 2022

Please make returning 16 instead of 8 characters a choice by parameter to that method, defaulting to the old behaviour, and only using 16 when querying the keyserver.

@sunweaver
Copy link
Contributor Author

Urgh, we could do this, but why? All modern GPGs since at least five years reject processing of 8-digit GPG short forms of the fingerprint.

Several years ago, some university researchers iirc from the Netherlands showed that it is easy/possible to create GPG keys matching the last 8-digit of well-known fingerprints (they scanned the web-of-trust, took keys with many signatures and tried to create keys with similar looking fingerprints). They did that with several GPG keys belonging to Debian developers. Since then, 8-digit shortforms for fingerprints are really outdated and are not supported anymore.

Please adjust the patch if needed, I don't have time for it atm. (and don't see the point in it, honestly).

@sunweaver sunweaver mentioned this pull request Nov 17, 2022
Open
@yunosh
Copy link
Member

yunosh commented Nov 17, 2022

Good point, even though it's debateable whether this is an API break.

@sunweaver
Copy link
Contributor Author

sunweaver commented Nov 17, 2022
edited
Loading

Good point, even though it's debateable whether this is an API break.

It definitely is an API breakage, but the whole thing broke world-wide.

And: thanks for looking into these PRs and maintaining Horde. I will try to do my best to keep Horde in Debian although its PHP 8.2 support is very bad currently (and next Debian stable aka bookworm will ship PHP 8.2).

@yunosh
Copy link
Member

yunosh commented Nov 17, 2022

We are working on full PHP 8.x support too now

@sunweaver
Copy link
Contributor Author

We are working on full PHP 8.x support too now

Please take a look at the patches in the packaging repos [1] then. I did php unit test 8.x/9.x fixes already for Debian 11. With PHP 8.x I am not there, yet. I will mail you / the mailing list directly for better coordination of efforts (because this is OT here).

[1] https://salsa.debian.org/horde-team (each repo as a debian/patches/ folder with many many patches)

@yunosh yunosh merged commit 5326f41 into horde:master Nov 17, 2022
yunosh added a commit that referenced this pull request Nov 17, 2022
@yunosh
[jan] Use 16 bit long PGP key IDs. (PR #6, Mike Gabriel <mike.gabriel…
6214644 
…@das-netzwerkteam.de>).
yunosh added a commit that referenced this pull request Nov 17, 2022
@yunosh
[jan] Use 16 bit long PGP key IDs. (PR #6, Mike Gabriel <mike.gabriel…
b81645b 
…@das-netzwerkteam.de>).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sunweaver @yunosh