On Thu, Dec 23, 2021 at 11:34 PM Allan McRae <allan@archlinux.org> wrote:
I'm not a fan of the idea that if a user has a handful of non-distro repositories configured, that every package signature would need checked against multiple keys until one passed. Is there no way of identifying the correct signing key from the signature file?
Yeah, I believe there is. Here's the contents of a generated public key: asignify-pubkey:1:mtG16Izr+xQ=:FlDRmIlYxCG0QAm7Jjmf/im62EBfg2nCpwzGPpkq+30= And here's the contents of the sig file made using the corresponding private key: asignify-sig:1:mtG16Izr+xQ=:txEF3fQ/gaBAVCi8WpDICWn9i7gqgfJXp/viJDQeeETfbZTheIXHitmXv9Z+RQO9dYQDkJ6AMZt/xTU1/lWlDQ== BLAKE2 (test.c) = f8222a69bb9672b76ad7cc8776902a4b5bdde47b64040cd6febe798df3c7545a1f86e1ae94898f63fe94e3cabb91cda359be6b12edddcccd95ef5fd965349600 So it looks like third field on the first line is a fingerprint for the key. JH