Page MenuHome GnuPG

tsign behavior does not achieve what dkg says it should
Closed, DuplicatePublic


According to dkg, the tsign domain parameter means

"limit this trust signature to only cover certifications of User IDs with e-mail
addresses that have the given domain after the @ sign"

However, when used, this does not achieve the desired effect.



Event Timeline

clint set Version to 1.4.20.
clint added a subscriber: clint.

Hi Clint,

Out of curiosity, have you tried this on 2.1?

I realize this is probably very easy to reproduce, but could you nevertheless
list the commands that you used to show the bug?


I have not tried this on 2.1.

To reproduce

% gpg --recv-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9


    % gpg --edit-key 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
    tsign with 2 (I trust fully), depth 1, domain ""
    Check validity of 74D1153FB159BB3D1BAC641CAC504BE650012B98

If you make the trust signature without a domain specified,
74D1153FB159BB3D1BAC641CAC504BE650012B98 will appear as "full". With the domain
specified, it appears as "unknown".

Note that T2923 includes a patch that might help.

I confirmed this is same bug in T2923: trust signature domain restrictions don't work, I am closing this one as duplicate.

If you type "ACLU.ORG" (upper letters), it works.