New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
choosing sigs among several with same creation time #1197
Comments
OpenPGP.js does in fact select the newest signature if there is one, but both signatures in this key have the same creation time, so it's a bit ambiguous (OpenPGP.js currently selects the first one, but it's a bit arbitrary; we could change it by swapping a |
Ah! That is ambiguous indeed. Thank you for looking into this! OpenPGP sigs have a coarse signature time (one second increments). This was a key that was created and then another sig was immediately appended to it. We'll change this procedure to not cause this problem. Long term, it may be reasonable enough to assume that, if the creation time is the same, the one that is later in the list is the "real" last. If nothing else, it would be consistent with at least one other major implementation. |
Consider this key:
It has two signatures on it: older one which never expires, and newer one which does expire.
OpenPGP.js interprets that as never expires (following the sig with later expiration)
gnupg (and PGPainless) interprets that as expiring (following the sig with later creation)
From PGPainless developer:
I was trying to find relevant words in the spec, and here's what I found: https://tools.ietf.org/html/rfc4880#section-5.2.3.3
Originally discussed at pgpainless/pgpainless#55
The text was updated successfully, but these errors were encountered: