pgp: don't shorten key fingerprints

If shortening fingerprints, the trailing '!' from subkey fingerprints is removed, and the wrong key is selected later on, potentially resulting in just-created secrets not being decryptable. Fixes #1365 Signed-off-by: tilpner <[email protected]>
getsops · Jun 6, 2024 · 3068ed0 · 3068ed0
1 parent 1c46d24
commit 3068ed0
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 32 deletions.
diff --git a/pgp/keysource.go b/pgp/keysource.go
@@ -321,8 +321,6 @@ func (key *MasterKey) encryptWithOpenPGP(dataKey []byte) error {
 // PGP key that belongs to Fingerprint. It sets EncryptedDataKey, or returns
 // an error.
 func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error {
- fingerprint := shortenFingerprint(key.Fingerprint)
-
  args := []string{
  "--no-default-recipient",
  "--yes",
@@ -331,7 +329,7 @@ func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error {
  "-r",
  key.Fingerprint,
  "--trusted-key",
- fingerprint,
+ key.Fingerprint,
  "--no-encrypt-to",
  }
  stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey))
@@ -629,13 +627,3 @@ func gnuPGHome(customPath string) string {
  }
  return dir
 }
-
-// shortenFingerprint returns the short ID of the given fingerprint.
-// This is mostly used for compatibility reasons, as older versions of GnuPG
-// do not always like long IDs.
-func shortenFingerprint(fingerprint string) string {
- if offset := len(fingerprint) - 16; offset > 0 {
- fingerprint = fingerprint[offset:]
- }
- return fingerprint
-}
diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go
@@ -338,18 +338,16 @@ func TestMasterKey_Decrypt(t *testing.T) {
  })
  assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
- fingerprint := shortenFingerprint(mockFingerprint)
-
  data := []byte("this data is absolutely top secret")
  stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
  "--no-default-recipient",
  "--yes",
  "--encrypt",
  "-a",
  "-r",
- fingerprint,
+ mockFingerprint,
  "--trusted-key",
- fingerprint,
+ mockFingerprint,
  "--no-encrypt-to",
  }, bytes.NewReader(data))
  assert.Nil(t, err)
@@ -421,18 +419,16 @@ func TestMasterKey_decryptWithOpenPGP(t *testing.T) {
  })
  assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
- fingerprint := shortenFingerprint(mockFingerprint)
-
  data := []byte("this data is absolutely top secret")
  stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
  "--no-default-recipient",
  "--yes",
  "--encrypt",
  "-a",
  "-r",
- fingerprint,
+ mockFingerprint,
  "--trusted-key",
- fingerprint,
+ mockFingerprint,
  "--no-encrypt-to",
  }, bytes.NewReader(data))
  assert.Nil(t, err)
@@ -470,18 +466,16 @@ func TestMasterKey_decryptWithGnuPG(t *testing.T) {
  })
  assert.NoError(t, gnuPGHome.ImportFile(mockPrivateKey))
 
- fingerprint := shortenFingerprint(mockFingerprint)
-
  data := []byte("this data is absolutely top secret")
  stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
  "--no-default-recipient",
  "--yes",
  "--encrypt",
  "-a",
  "-r",
- fingerprint,
+ mockFingerprint,
  "--trusted-key",
- fingerprint,
+ mockFingerprint,
  "--no-encrypt-to",
  }, bytes.NewReader(data))
  assert.Nil(t, err)
@@ -696,13 +690,6 @@ func Test_gnuPGHome(t *testing.T) {
  assert.Equal(t, customP, gnuPGHome(customP))
 }
 
-func Test_shortenFingerprint(t *testing.T) {
- shortId := shortenFingerprint(mockFingerprint)
- assert.Equal(t, "9732075EA221A7EA", shortId)
-
- assert.Equal(t, shortId, shortenFingerprint(shortId))
-}
-
 // TODO(hidde): previous tests kept around for now.
 
 func TestPGP(t *testing.T) {