220.127.116.11. Issuer Fingerprint (1 octet key version number, N octets of fingerprint) The OpenPGP Key fingerprint of the key issuing the signature. This subpacket SHOULD be included in all signatures. If the version of the issuing key is 4 and an Issuer subpacket is also included in the signature, the key ID of the Issuer subpacket MUST match the low 64 bits of the fingerprint.
That suggests that the Issuer subpacket is optional, and indeed it MUST NOT be included in v5 signatures. However, GnuPG fails to verify signatures that have a issuer fingerprint but no issuer subpacket:
% gpg --verify hello.asc gpg: assuming signed data in 'hello' gpg: Signature made Thu 28 Jun 2018 04:43:00 PM CEST gpg: using RSA key CF23490B0F78B850BBBC7369D120B626ECABF51D gpg: Can't check signature: No public key % gpg --list-packets hello.asc # off=0 ctb=c2 tag=2 hlen=2 plen=169 new-ctb :signature packet: algo 1, keyid 0000000000000000 version 4, created 1530196980, md5len 0, sigclass 0x00 digest algo 10, begin of digest d8 9b critical hashed subpkt 2 len 4 (sig created 2018-06-28) critical hashed subpkt 33 len 21 (issuer fpr v4 CF23490B0F78B850BBBC7369D120B626ECABF51D) data: [1022 bits] % gpg --version gpg (GnuPG) 2.2.8 libgcrypt 1.8.3 ...
The signature is made using the "Test three (no pp) <firstname.lastname@example.org>" key from the GnuPG test suite. I'll attach the files and the key to the issue.