From 4d7a16257f674b061851b5a2ee63f61b900cb6f1 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Mon, 4 May 2020 11:38:46 +0200 Subject: [PATCH] Include full IssuerFingerprint in GPG signature Update dependency to Bouncy Castle to 1.65. Add the IssuerFingerprint as a hashed sub-packet in the signature. If added unhashed, GPG ignores it. Bug: 553206 Change-Id: I6807e8e2385e6ec5790f388e4753a44aa9474ebb Signed-off-by: Thomas Wolf --- org.eclipse.jgit/META-INF/MANIFEST.MF | 22 +++++++++---------- .../lib/internal/BouncyCastleGpgSigner.java | 6 +++++ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/org.eclipse.jgit/META-INF/MANIFEST.MF b/org.eclipse.jgit/META-INF/MANIFEST.MF index 5fb76f503..1cdb6417b 100644 --- a/org.eclipse.jgit/META-INF/MANIFEST.MF +++ b/org.eclipse.jgit/META-INF/MANIFEST.MF @@ -162,17 +162,17 @@ Import-Package: com.googlecode.javaewah;version="[1.1.6,2.0.0)", com.jcraft.jsch;version="[0.1.37,0.2.0)", javax.crypto, javax.net.ssl, - org.bouncycastle;version="[1.61.0,2.0.0)", - org.bouncycastle.bcpg;version="[1.61.0,2.0.0)", - org.bouncycastle.gpg;version="[1.61.0,2.0.0)", - org.bouncycastle.gpg.keybox;version="[1.61.0,2.0.0)", - org.bouncycastle.gpg.keybox.jcajce;version="[1.61.0,2.0.0)", - org.bouncycastle.jce.provider;version="[1.61.0,2.0.0)", - org.bouncycastle.openpgp;version="[1.61.0,2.0.0)", - org.bouncycastle.openpgp.jcajce;version="[1.61.0,2.0.0)", - org.bouncycastle.openpgp.operator;version="[1.61.0,2.0.0)", - org.bouncycastle.openpgp.operator.jcajce;version="[1.61.0,2.0.0)", - org.bouncycastle.util.encoders;version="[1.61.0,2.0.0)", + org.bouncycastle;version="[1.65.0,2.0.0)", + org.bouncycastle.bcpg;version="[1.65.0,2.0.0)", + org.bouncycastle.gpg;version="[1.65.0,2.0.0)", + org.bouncycastle.gpg.keybox;version="[1.65.0,2.0.0)", + org.bouncycastle.gpg.keybox.jcajce;version="[1.65.0,2.0.0)", + org.bouncycastle.jce.provider;version="[1.65.0,2.0.0)", + org.bouncycastle.openpgp;version="[1.65.0,2.0.0)", + org.bouncycastle.openpgp.jcajce;version="[1.65.0,2.0.0)", + org.bouncycastle.openpgp.operator;version="[1.65.0,2.0.0)", + org.bouncycastle.openpgp.operator.jcajce;version="[1.65.0,2.0.0)", + org.bouncycastle.util.encoders;version="[1.65.0,2.0.0)", org.slf4j;version="[1.7.0,2.0.0)", org.xml.sax, org.xml.sax.helpers diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java b/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java index 388169637..dfcfdab11 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java @@ -25,6 +25,7 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder; import org.eclipse.jgit.annotations.NonNull; @@ -117,6 +118,11 @@ public void sign(@NonNull CommitBuilder commit, HashAlgorithmTags.SHA256).setProvider( BouncyCastleProvider.PROVIDER_NAME)); signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey); + PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(); + subpacketGenerator.setIssuerFingerprint(false, + secretKey.getPublicKey()); + signatureGenerator + .setHashedSubpackets(subpacketGenerator.generate()); ByteArrayOutputStream buffer = new ByteArrayOutputStream(); try (BCPGOutputStream out = new BCPGOutputStream( new ArmoredOutputStream(buffer))) {