openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible.

* guix/openpgp.scm (verify-openpgp-signature): Use 'lookup-key-by-fingerprint' when SIG contains a fingerprint. Honor FINGERPRINT in the 'find' predicate. Upon missing-key, return FINGERPRINT if available. * tests/openpgp.scm ("verify-openpgp-signature, missing key"): Adjust expected value accordingly.
author: Ludovic Courtès <ludo@gnu.org> 2020-04-26 23:27:36 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2020-05-04 09:56:12 +0200
commit: b45fa0a123bec8d023e5520dfb381bfc73313929 (patch)
tree: 65b5f582f26f1d6de55269348588abcb3a7e1c51
parent: efe1f0122c61b8932671d07419f0200c170a994e (diff)
download: guix-b45fa0a123bec8d023e5520dfb381bfc73313929.tar.gz
2 files changed, 12 insertions, 5 deletions
diff --git a/guix/openpgp.scm b/guix/openpgp.scm
index 8479f8a168..a871eb1a16 100644
--- a/guix/openpgp.scm
+++ b/guix/openpgp.scm
@@ -564,16 +564,23 @@ the issuer's OpenPGP public key extracted from KEYRING."
 
   ;; TODO: Support SIGNATURE-TEXT.
   (if (= (openpgp-signature-type sig) SIGNATURE-BINARY)
-      (let* ((issuer   (openpgp-signature-issuer-key-id sig))
-             (key-data (lookup-key-by-id keyring issuer)))
+      (let* ((id          (openpgp-signature-issuer-key-id sig))
+             (fingerprint (openpgp-signature-issuer-fingerprint sig))
+             (key-data    (if fingerprint
+                              (lookup-key-by-fingerprint keyring fingerprint)
+                              (lookup-key-by-id keyring id))))
         ;; Find the primary key or subkey that made the signature.
         (let ((key (find (lambda (k)
                            (and (openpgp-public-key? k)
-                                (= (openpgp-public-key-id k) issuer)))
+                                (if fingerprint
+                                    (bytevector=?
+                                     (openpgp-public-key-fingerprint k)
+                                     fingerprint)
+                                    (= (openpgp-public-key-id k) id))))
                          key-data)))
           (if key
               (check key sig)
-              (values 'missing-key issuer))))
+              (values 'missing-key (or fingerprint id)))))
       (values 'unsupported-signature sig)))
 
 (define (key-id-matches-fingerprint? key-id fingerprint)
diff --git a/tests/openpgp.scm b/tests/openpgp.scm
index eac2e88f74..cc5e6cbcf7 100644
--- a/tests/openpgp.scm
+++ b/tests/openpgp.scm
@@ -192,7 +192,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
              %hello-signature/ed25519/sha1)))
 
 (test-equal "verify-openpgp-signature, missing key"
-  `(missing-key ,%rsa-key-id)
+  `(missing-key ,%rsa-key-fingerprint)
   (let* ((keyring   (get-openpgp-keyring (%make-void-port "r")))
          (signature (get-openpgp-packet
                      (open-bytevector-input-port
author	Ludovic Courtès <ludo@gnu.org>	2020-04-26 23:27:36 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2020-05-04 09:56:12 +0200
commit	b45fa0a123bec8d023e5520dfb381bfc73313929 (patch)
tree	65b5f582f26f1d6de55269348588abcb3a7e1c51
parent	efe1f0122c61b8932671d07419f0200c170a994e (diff)
download	guix-b45fa0a123bec8d023e5520dfb381bfc73313929.tar.gz