From 4f9883421653a8a3c5ebe3c8f7507af183af0b94 Mon Sep 17 00:00:00 2001
From: Justin Burnham <justin@jburnham.net>
Date: Wed, 18 Sep 2013 23:27:32 -0700
Subject: Better signature validation for subkeys.

---
 git-remote-gcrypt | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/git-remote-gcrypt b/git-remote-gcrypt
index bb19652..94e7d58 100755
--- a/git-remote-gcrypt
+++ b/git-remote-gcrypt
@@ -388,7 +388,7 @@ make_new_repo()
 # $1 return var for goodsig match, $2 return var for signers text
 read_config()
 {
-	local recp_= r_keyinfo= cap_= conf_part= good_sig= signers_=
+	local recp_= r_keyinfo= r_keyfpr= gpg_list= cap_= conf_part= good_sig= signers_=
 	Conf_signkey=$(git config --path user.signingkey || :)
 	conf_part=$(git config --get "remote.$NAME.gcrypt-participants" '.+' ||
 		    git config --get gcrypt.participants '.+' || :)
@@ -406,16 +406,21 @@ read_config()
 
 	for recp_ in $conf_part
 	do
-		filter_to @r_keyinfo "pub*" \
-			"$(gpg --with-colons --fast-list -k "$recp_")"
+		gpg_list=$(gpg --with-colons --fast-list --fingerprint -k "$recp_")
+		filter_to @r_keyinfo "pub*" "$gpg_list"
+		filter_to @r_keyfpr "fpr*" "$gpg_list"
 		isnull "$r_keyinfo" || isnonnull "${r_keyinfo##*"$Newline"*}" ||
 		echo_info "WARNING: '$recp_' matches multiple keys, using one"
+		isnull "$r_keyfpr" || isnonnull "${r_keyfpr##*"$Newline"*}" ||
+		echo_info "WARNING: '$recp_' matches multiple fingerprints, using one"
 		r_keyinfo=${r_keyinfo%%"$Newline"*}
+		r_keyfpr=${r_keyfpr%%"$Newline"*}
 		keyid_=$(xfeed "$r_keyinfo" cut -f 5 -d :)
+		fprid_=$(xfeed "$r_keyfpr" cut -f 10 -d :)
 
-		isnonnull "$keyid_" &&
+		isnonnull "$fprid_" &&
 		signers_="$signers_ $keyid_" &&
-		append_to @good_sig "^\[GNUPG:\] GOODSIG $keyid_" || {
+		append_to @good_sig "^\[GNUPG:\] VALIDSIG .*$fprid_$" || {
 			echo_info "WARNING: Skipping missing key $recp_"
 			continue
 		}
-- 
cgit v1.1