On Mon, 2018-11-05 at 10:08 +0900, Junio C Hamano wrote: > Michał Górny <mgorny@xxxxxxxxxx> writes: > > > > It's my understanding that GnuPG will use the most recent subkey > > > suitable for a particular purpose, and I think the test relies on that > > > behavior. However, I'm not sure that's documented. Do we want to rely > > > on that behavior or be more explicit? (This is a question, not an > > > opinion.) > > > > To be honest, I don't recall which suitable subkey is used. However, it > > definitely will prefer a subkey with signing capabilities over > > the primary key if one is present, and this is well-known and expected > > behavior. > > > > In fact, if you have a key with two signing subkeys A and B and it > > considers A better, then even if you explicitly pass keyid of B, it will > > use A. To force another subkey you have to append '!' to keyid. > > > > Therefore, I think this is a behavior we can rely on. > > I didn't check how the signing key configuration is done in the test > sript (which is outside the patch context), but do you mean that we > create these signed objects by specifying which key to use with a > keyid with "!" appended? If so I agree that would make sense, > because we would then know which subkey should be used for signing > and checking with %GF/%GP would be a good way to do so. > No, we don't have duplicate subkeys to be required to use that. Some of the tests use explicit '-S<keyid>' to force using the other key; other seem to use a default key (I can't find a place where the default would be set, so I suppose it's GnuPG default). -- Best regards, Michał Górny
Attachment:
signature.asc
Description: This is a digitally signed message part
