Michał Górny <mgorny@xxxxxxxxxx> writes: >> It's my understanding that GnuPG will use the most recent subkey >> suitable for a particular purpose, and I think the test relies on that >> behavior. However, I'm not sure that's documented. Do we want to rely >> on that behavior or be more explicit? (This is a question, not an >> opinion.) > > To be honest, I don't recall which suitable subkey is used. However, it > definitely will prefer a subkey with signing capabilities over > the primary key if one is present, and this is well-known and expected > behavior. > > In fact, if you have a key with two signing subkeys A and B and it > considers A better, then even if you explicitly pass keyid of B, it will > use A. To force another subkey you have to append '!' to keyid. > > Therefore, I think this is a behavior we can rely on. I didn't check how the signing key configuration is done in the test sript (which is outside the patch context), but do you mean that we create these signed objects by specifying which key to use with a keyid with "!" appended? If so I agree that would make sense, because we would then know which subkey should be used for signing and checking with %GF/%GP would be a good way to do so. Thanks.
