Browse Source

Include full IssuerFingerprint in GPG signature

Update dependency to Bouncy Castle to 1.65.

Add the IssuerFingerprint as a hashed sub-packet in the signature. If
added unhashed, GPG ignores it.

Bug: 553206
Change-Id: I6807e8e2385e6ec5790f388e4753a44aa9474ebb
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
master
Thomas Wolf 5 years ago committed by Matthias Sohn
parent
commit
4d7a16257f
  1. 22
      org.eclipse.jgit/META-INF/MANIFEST.MF
  2. 6
      org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java

22
org.eclipse.jgit/META-INF/MANIFEST.MF

@ -162,17 +162,17 @@ Import-Package: com.googlecode.javaewah;version="[1.1.6,2.0.0)",
com.jcraft.jsch;version="[0.1.37,0.2.0)", com.jcraft.jsch;version="[0.1.37,0.2.0)",
javax.crypto, javax.crypto,
javax.net.ssl, javax.net.ssl,
org.bouncycastle;version="[1.61.0,2.0.0)", org.bouncycastle;version="[1.65.0,2.0.0)",
org.bouncycastle.bcpg;version="[1.61.0,2.0.0)", org.bouncycastle.bcpg;version="[1.65.0,2.0.0)",
org.bouncycastle.gpg;version="[1.61.0,2.0.0)", org.bouncycastle.gpg;version="[1.65.0,2.0.0)",
org.bouncycastle.gpg.keybox;version="[1.61.0,2.0.0)", org.bouncycastle.gpg.keybox;version="[1.65.0,2.0.0)",
org.bouncycastle.gpg.keybox.jcajce;version="[1.61.0,2.0.0)", org.bouncycastle.gpg.keybox.jcajce;version="[1.65.0,2.0.0)",
org.bouncycastle.jce.provider;version="[1.61.0,2.0.0)", org.bouncycastle.jce.provider;version="[1.65.0,2.0.0)",
org.bouncycastle.openpgp;version="[1.61.0,2.0.0)", org.bouncycastle.openpgp;version="[1.65.0,2.0.0)",
org.bouncycastle.openpgp.jcajce;version="[1.61.0,2.0.0)", org.bouncycastle.openpgp.jcajce;version="[1.65.0,2.0.0)",
org.bouncycastle.openpgp.operator;version="[1.61.0,2.0.0)", org.bouncycastle.openpgp.operator;version="[1.65.0,2.0.0)",
org.bouncycastle.openpgp.operator.jcajce;version="[1.61.0,2.0.0)", org.bouncycastle.openpgp.operator.jcajce;version="[1.65.0,2.0.0)",
org.bouncycastle.util.encoders;version="[1.61.0,2.0.0)", org.bouncycastle.util.encoders;version="[1.65.0,2.0.0)",
org.slf4j;version="[1.7.0,2.0.0)", org.slf4j;version="[1.7.0,2.0.0)",
org.xml.sax, org.xml.sax,
org.xml.sax.helpers org.xml.sax.helpers

6
org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java

@ -25,6 +25,7 @@ import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
import org.eclipse.jgit.annotations.NonNull; import org.eclipse.jgit.annotations.NonNull;
@ -117,6 +118,11 @@ public class BouncyCastleGpgSigner extends GpgSigner {
HashAlgorithmTags.SHA256).setProvider( HashAlgorithmTags.SHA256).setProvider(
BouncyCastleProvider.PROVIDER_NAME)); BouncyCastleProvider.PROVIDER_NAME));
signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey); signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator();
subpacketGenerator.setIssuerFingerprint(false,
secretKey.getPublicKey());
signatureGenerator
.setHashedSubpackets(subpacketGenerator.generate());
ByteArrayOutputStream buffer = new ByteArrayOutputStream(); ByteArrayOutputStream buffer = new ByteArrayOutputStream();
try (BCPGOutputStream out = new BCPGOutputStream( try (BCPGOutputStream out = new BCPGOutputStream(
new ArmoredOutputStream(buffer))) { new ArmoredOutputStream(buffer))) {

Loading…
Cancel
Save