Launchpad itself

Launchpad does not accept older GPG fingerprint formats

Bug #4746 reported by Barry Warsaw
30
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Invalid
Medium
Unassigned

Bug Description

My GPG key is a 1024bit RSA key generated on 1997-12-08. gpg --fingerprint displays as this:

pub 1024R/ED9D77D5 1997-12-08
      Key fingerprint = D3 34 F2 5F D7 14 E0 90 62 03 EF 2D 7E 4A A5 98

however launchpad does not accept this fingerprint.

Revision history for this message
Daniel Silverstone (dsilvers) wrote :

Launchpad has no support for V3 RSA keys.

You must use a V4 OpenPGP key with Launchpad.

Revision history for this message
Steve Alexander (stevea) wrote :

This is a test comment, to see if I receive an automated email response from Barry.

Revision history for this message
Steve Alexander (stevea) wrote :

This is a second test comment, to see if I receive yet another automated email response from Barry.

Revision history for this message
Daniel Silverstone (dsilvers) wrote :

After some investigation and reflection, I believe it should be possible to support V3 keys by doing as follows:

If the fingerprint supplied is too short, assume it's a keyid and look that up instead. If we get > 1 key back, ask the user to choose one.

If the key is V3, record the fact in the GPGKey table by means of more DBSchema magic.

The ubuntu keyserver should "just work" with V3 keys, zeca should be easy to modify if it breaks.

The difficulty comes simply in ensuring that if a key is V3, the keyid in our GPGKey table must be unique. In that if we decide to import a GPGKey entry into the pyme context, we must be able to cope with clashes or else we must prevent them in Launchpad entirely.

There is at least one documented instance of someone's V4 32bit keyid clashing where one of the parties was at UBZ.

Revision history for this message
Dafydd Harries (daf) wrote :

How common are v3 or older fingerprints? Out of other applications that deal with GPG, how many of them support older fingerprints?

Dafydd Harries (daf)
Changed in launchpad:
status: New → NeedInfo
Revision history for this message
Wouter van Heyst (larstiq) wrote :

Fwiw, caff refuses to deal with v3 keys. I don't feel confident enough about crypto to attempt reproducing claims about why v3 keys are not safe, but Peter Palfrader can help with that.

Revision history for this message
Barry Warsaw (barry) wrote :

FWIW, I use my v3 primarily for email signing, but I now have a v4 key that I'm migrating to, even though it is (as yet) not nearly as well cross-signed as my v3 key. No sense in fixing this if I'm the only one affected by the problem.

Revision history for this message
Jens Grassel (jan0sch) wrote :

I also have the problem that I can't import my GPG Key.

I uploaded it to the keyserver successfully (http://keyserver.ubuntu.com:11371/pks/lookup?search=0x028660C5). But when entering my fingerprint launchpad says that the key can not be found.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Launchpad because there has been no activity for 60 days.]

Revision history for this message
Martin Pool (mbp) wrote :

see bug 961351 for giving a better message.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.