From 156cf23576df15cfd06d8138f7fc4443bfee5058 Mon Sep 17 00:00:00 2001
From: Robert McQueen <rob@endlessm.com>
Date: Sun, 30 Jul 2017 17:35:46 +0100
Subject: [PATCH] gpg-verify-result: canonicalise key when looking up
 signatures

Use gpgme_get_key to find the primary key for the key we are
looking for, and the primary key for each signature, and
compare these when looking up signatures.

The primary key is the first in the list of subkeys, which is
the normal key ID people use when referring to a GPG key as an
identity.

If the key has a signing subkey, signature->fpr will not match
the provided key_id, so looking up both keys and comparing the
primary key fingerprints ensures they are both canonicalised.

https://github.com/ostreedev/ostree/issues/608

Closes: #1036
Approved by: cgwalters
---
 src/libostree/ostree-gpg-verify-result.c | 35 +++++++++++++++++++-----
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/libostree/ostree-gpg-verify-result.c b/src/libostree/ostree-gpg-verify-result.c
index 0277ce1e..059b3d56 100644
--- a/src/libostree/ostree-gpg-verify-result.c
+++ b/src/libostree/ostree-gpg-verify-result.c
@@ -237,7 +237,7 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result,
                                  const gchar *key_id,
                                  guint *out_signature_index)
 {
-  g_autofree char *key_id_upper = NULL;
+  gpgme_key_t lookup_key = NULL;
   gpgme_signature_t signature;
   guint signature_index;
   gboolean ret = FALSE;
@@ -245,25 +245,46 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result,
   g_return_val_if_fail (OSTREE_IS_GPG_VERIFY_RESULT (result), FALSE);
   g_return_val_if_fail (key_id != NULL, FALSE);
 
-  /* signature->fpr is always upper-case. */
-  key_id_upper = g_ascii_strup (key_id, -1);
+  /* fetch requested key_id from keyring to canonicalise ID */
+  (void) gpgme_get_key (result->context, key_id, &lookup_key, 0);
+
+  if (lookup_key == NULL)
+    {
+      g_debug ("Could not find key ID %s to lookup signature.", key_id);
+      return FALSE;
+    }
 
   for (signature = result->details->signatures, signature_index = 0;
        signature != NULL;
        signature = signature->next, signature_index++)
     {
-      if (signature->fpr == NULL)
-        continue;
+      gpgme_key_t signature_key = NULL;
 
-      if (g_str_has_suffix (signature->fpr, key_id_upper))
+      (void) gpgme_get_key (result->context, signature->fpr, &signature_key, 0);
+
+      if (signature_key == NULL)
+        {
+          g_debug ("Could not find key when looking up signature from %s.", signature->fpr);
+          continue;
+        }
+
+      /* the first subkey in the list is the primary key */
+      if (!g_strcmp0 (lookup_key->subkeys->fpr,
+                      signature_key->subkeys->fpr))
         {
           if (out_signature_index != NULL)
             *out_signature_index = signature_index;
           ret = TRUE;
-          break;
         }
+
+      gpgme_key_unref (signature_key);
+
+      if (ret)
+        break;
     }
 
+  gpgme_key_unref (lookup_key);
+
   return ret;
 }