diff --git a/guix/openpgp.scm b/guix/openpgp.scm index 8479f8a168..a871eb1a16 100644 --- a/guix/openpgp.scm +++ b/guix/openpgp.scm @@ -564,16 +564,23 @@ the issuer's OpenPGP public key extracted from KEYRING." ;; TODO: Support SIGNATURE-TEXT. (if (= (openpgp-signature-type sig) SIGNATURE-BINARY) - (let* ((issuer (openpgp-signature-issuer-key-id sig)) - (key-data (lookup-key-by-id keyring issuer))) + (let* ((id (openpgp-signature-issuer-key-id sig)) + (fingerprint (openpgp-signature-issuer-fingerprint sig)) + (key-data (if fingerprint + (lookup-key-by-fingerprint keyring fingerprint) + (lookup-key-by-id keyring id)))) ;; Find the primary key or subkey that made the signature. (let ((key (find (lambda (k) (and (openpgp-public-key? k) - (= (openpgp-public-key-id k) issuer))) + (if fingerprint + (bytevector=? + (openpgp-public-key-fingerprint k) + fingerprint) + (= (openpgp-public-key-id k) id)))) key-data))) (if key (check key sig) - (values 'missing-key issuer)))) + (values 'missing-key (or fingerprint id))))) (values 'unsupported-signature sig))) (define (key-id-matches-fingerprint? key-id fingerprint) diff --git a/tests/openpgp.scm b/tests/openpgp.scm index eac2e88f74..cc5e6cbcf7 100644 --- a/tests/openpgp.scm +++ b/tests/openpgp.scm @@ -192,7 +192,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0= %hello-signature/ed25519/sha1))) (test-equal "verify-openpgp-signature, missing key" - `(missing-key ,%rsa-key-id) + `(missing-key ,%rsa-key-fingerprint) (let* ((keyring (get-openpgp-keyring (%make-void-port "r"))) (signature (get-openpgp-packet (open-bytevector-input-port