mozilla / mig

Appears an issue exists when trying to use signing subkeys, specifically this issue manifests itself when the master signing key is not present due to the way the openpgp library works.

The scenario here being:

User's GPG keyring contains a subkey secret key used for signing, and the master is not present
.migrc keyid indicates fingerprint of subkey

This will fail due to the way entities are read in the MIG PGP code, specifically:

mig/pgp/sign.go

Lines 44 to 54 in e058be3

    
           for _, entity := range keyring { 
        
           	if entity.PrivateKey == nil { 
        
           		panic("secring contains entity without private key data") 
        
           	} 
        
           	fingerprint := strings.ToUpper(hex.EncodeToString(entity.PrivateKey.PublicKey.Fingerprint[:])) 
        
           	if keyid == fingerprint { 
        
           		signer = entity 
        
           		found = true 
        
           		break 
        
           	} 
        
           }

The Entity type has a Subkeys component that is a list of subkeys associated with it. This is never read so it results in the fingerprint never being found.

If this code is modified, it is able to continue and subsequently fails in openpgp.ArmoredDetachSign(). The reason for this looks like it starts here:

https://github.com/golang/crypto/blob/7e9105388ebff089b3f99f0ef676ea55a6da3a7e/openpgp/write.go#L62-L89

There does not appear to be a way to indicate a subkey to ArmoredDetachSign(), and detachSign() simply uses the master private key associated with the passed in Entity.

	for _, entity := range keyring {
	if entity.PrivateKey == nil {
	panic("secring contains entity without private key data")
	}
	fingerprint := strings.ToUpper(hex.EncodeToString(entity.PrivateKey.PublicKey.Fingerprint[:]))
	if keyid == fingerprint {
	signer = entity
	found = true
	break
	}
	}

x/crypto/openpgp: unable to use signing subkeys