gpgv should emit a status line with full issuer fingerprint, if it is present in the key.
Open, WishlistPublic

Description

Consider this attempt to verify a signature which is clearly going to fail:

0 dkg@alice:/tmp/cdtemp.BZEeKj$ gpgv --keyring /dev/null --status-fd 4 test.txt.sig test.txt 4>status
gpgv: Signature made Tue 15 Aug 2017 12:21:22 PM EDT
gpgv:                using RSA key 38276051EA477FA3E49539321498ADC6C1923237
gpgv: Can't check signature: No public key
2 dkg@alice:/tmp/cdtemp.BZEeKj$ cat status 
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG 1498ADC6C1923237 1 10 00 1502814082 9
[GNUPG:] NO_PUBKEY 1498ADC6C1923237
0 dkg@alice:/tmp/cdtemp.BZEeKj$

stderr reports the full fingerprint of the claimed issuer, but the status line does not. I assume it's possible to emit this on stderr because there is an issuer-fingerprint subpacket in the signature.

It would be great for gpgv to report that issuer-fingerprint subpacket in the status line, in the same way that it reports the long key ID.

Details

Version
2.1.23
dkg created this task.Aug 15 2017, 6:30 PM

As part of switching debsig-verify from using --list-packets to gpg with --list-keys --with-colons and gpgv, it would be helpful to eventually be able to get the fingerprint instead of the keyid. This is needed because debsig-verify uses the keyid to select which one of its policy files it has to load, to apply for the subsequent actual verification of the .deb package.

From reading the DETAILS file, it seems both the ERRSIG and NO_PUBKEY (among others) are specified as using the keyid instead of the long keyid or the fingerprint, so I'm not sure how feasible it would be to emit the fingerprint here. Maybe a new status would need to be emitted.

justus triaged this task as Wishlist priority.Aug 21 2017, 11:33 AM