openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible.

* guix/openpgp.scm (verify-openpgp-signature): Use
'lookup-key-by-fingerprint' when SIG contains a fingerprint.
Honor FINGERPRINT in the 'find' predicate.  Upon missing-key, return
FINGERPRINT if available.
* tests/openpgp.scm ("verify-openpgp-signature, missing key"): Adjust
expected value accordingly.
This commit is contained in:
Ludovic Courtès 2020-04-26 23:27:36 +02:00
parent efe1f0122c
commit b45fa0a123
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
2 changed files with 12 additions and 5 deletions

@ -564,16 +564,23 @@ the issuer's OpenPGP public key extracted from KEYRING."
;; TODO: Support SIGNATURE-TEXT. ;; TODO: Support SIGNATURE-TEXT.
(if (= (openpgp-signature-type sig) SIGNATURE-BINARY) (if (= (openpgp-signature-type sig) SIGNATURE-BINARY)
(let* ((issuer (openpgp-signature-issuer-key-id sig)) (let* ((id (openpgp-signature-issuer-key-id sig))
(key-data (lookup-key-by-id keyring issuer))) (fingerprint (openpgp-signature-issuer-fingerprint sig))
(key-data (if fingerprint
(lookup-key-by-fingerprint keyring fingerprint)
(lookup-key-by-id keyring id))))
;; Find the primary key or subkey that made the signature. ;; Find the primary key or subkey that made the signature.
(let ((key (find (lambda (k) (let ((key (find (lambda (k)
(and (openpgp-public-key? k) (and (openpgp-public-key? k)
(= (openpgp-public-key-id k) issuer))) (if fingerprint
(bytevector=?
(openpgp-public-key-fingerprint k)
fingerprint)
(= (openpgp-public-key-id k) id))))
key-data))) key-data)))
(if key (if key
(check key sig) (check key sig)
(values 'missing-key issuer)))) (values 'missing-key (or fingerprint id)))))
(values 'unsupported-signature sig))) (values 'unsupported-signature sig)))
(define (key-id-matches-fingerprint? key-id fingerprint) (define (key-id-matches-fingerprint? key-id fingerprint)

@ -192,7 +192,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
%hello-signature/ed25519/sha1))) %hello-signature/ed25519/sha1)))
(test-equal "verify-openpgp-signature, missing key" (test-equal "verify-openpgp-signature, missing key"
`(missing-key ,%rsa-key-id) `(missing-key ,%rsa-key-fingerprint)
(let* ((keyring (get-openpgp-keyring (%make-void-port "r"))) (let* ((keyring (get-openpgp-keyring (%make-void-port "r")))
(signature (get-openpgp-packet (signature (get-openpgp-packet
(open-bytevector-input-port (open-bytevector-input-port