Can't specify master key fingerprint in keys map file if sub key is used for signing.

[m50d]

E.g. the key used to sign junit: https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xEFE8086F9E93774E

With junit=0xEFE8086F9E93774E in keys map file:

[INFO] junit:junit:pom:4.12 PGP Signature OK
KeyId: 0xEFE8086F9E93774E UserIds: []

With junit=0x58E79B6ABC762159DC0B1591164BD2247B936711 in keys map file:

[ERROR] Not allowed artifact junit:junit:pom:4.12 and keyID:
junit:junit:4.12=0xEFE8086F9E93774E
https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xEFE8086F9E93774E

It seems like although for most keys the id is the last few characters of the fingerprint, this isn't always true?

[slawekjaranowski]

The key ID always is a part of the fingerprint.

One pgp key can contains master key and some sub keys.
In this case artifact is signed by one of sub keys, but you try provide fingerprint for master key.

Almost all artifact are signed by master key, so problem not occured.

We should correct this.

Below outpout from gpg:

$ gpg --verify-files junit-4.12.pom.asc 
gpg: assuming signed data in 'junit-4.12.pom'
gpg: Signature made Thu Dec  4 17:17:33 2014 CET
gpg:                using RSA key EFE8086F9E93774E
gpg: Good signature from "Marc Philipp (JUnit Development, 2014) <mail@marcphilipp.de>"
Primary key fingerprint: 58E7 9B6A BC76 2159 DC0B  1591 164B D224 7B93 6711
     Subkey fingerprint: D4C8 9EA4 AAF4 55FD 88B2  2087 EFE8 086F 9E93 774E

[exabrial]

What needs to be done to support subkeys? I'm guessing on the retrieval side, you just need to iterate through the subkeys and push any keys with the signing flag set into the cache. If you can describe how you'd like it done, I could take a crack at it.

[exabrial]

@slawekjaranowski Still willing to work on supporting subkeys if you'd like :)

[m50d]

I had a quick look through the code but couldn't see what exactly needs to happen. The use case looks like: given an artifact, a signature, and a key fingerprint, confirm that this is a valid signature of that artifact by a key with that fingerprint. So one needs to fetch the key based on the signature, and then somehow get from that to the fingerprint of the primary key rather than the subkey. But I don't understand the API the existing code is using well enough to say what (if anything) is missing.

[slawekjaranowski]

next example:

ognl:ognl:jar:3.1.12 PGP Signature OK
      KeyId: 0x8926173648953916A0A4F290F721C545D0CAA2E3 UserIds: []

[exabrial]

Maven Central now allows signing with ECDSA and also with Subkeys. I feel like we're going to see this become more and more of a problem.

At one point I had a started a similar plugin to this one that called out to native gpg and that solved the problem.

[slawekjaranowski]

@exabrial - Do you have example of artifact signing with ECDSA?

[exabrial]

Yeah. You can use one of my other project's as an example: https://repo1.maven.org/maven2/com/github/exabrial/form-binding/1.2.0/

[slawekjaranowski]

I confirm by test that ECDSA keys are working.

[exabrial]

Nice. That artifact isn't signed with a subkey, but it's great to see ECDSA working!