Skip to content

Use PySequoia to parse signatures & not break on PQC signatures#2255

Open
dralley wants to merge 1 commit intopulp:mainfrom
dralley:pqc-handling
Open

Use PySequoia to parse signatures & not break on PQC signatures#2255
dralley wants to merge 1 commit intopulp:mainfrom
dralley:pqc-handling

Conversation

@dralley
Copy link
Contributor

@dralley dralley commented Mar 9, 2026
edited
Loading

closes #2237

📜 Checklist

  • Commits are cleanly separated with meaningful messages (simple features and bug fixes should be squashed to one commit)
  • A changelog entry or entries has been added for any significant changes
  • Follows the Pulp policy on AI Usage
  • (For new features) - User documentation and test coverage has been added

See: Pull Request Walkthrough

@github-actions github-actions bot added the wip label Mar 9, 2026
@dralley dralley force-pushed the pqc-handling branch 2 times, most recently from b4708de to c4c7a2e Compare March 9, 2026 22:36
@github-actions github-actions bot removed the wip label Mar 9, 2026
@dralley dralley force-pushed the pqc-handling branch 4 times, most recently from 9d76f06 to 0a2c79a Compare March 9, 2026 22:43
@dralley dralley force-pushed the pqc-handling branch 2 times, most recently from a8f9748 to ef9d9b0 Compare March 9, 2026 23:54
@dralley dralley changed the title WIP Fix handling PQC Signatures (pysequoia) Use PySequoia to parse signatures & not break on PQC signatures Mar 10, 2026
dralley
dralley commented Mar 11, 2026
View reviewed changes
@dralley dralley marked this pull request as ready for review March 23, 2026 13:22
@dralley
Copy link
Contributor Author

dralley commented Mar 23, 2026
edited
Loading

Still needed: test that it actually resolves the issue

We may need to update ManifestSignature to store fingerprints in a subsequent PR since V6 signatures do not have keyids.

This PR just truncates to a key ID from a full fingerprint

Yes. In OpenPGP v6 (RFC 9580), the Key ID is defined as the first 8 bytes (high-order 64 bits) of the 32-byte fingerprint (which is a SHA-256 hash).

This is a reversal from v4, where the Key ID was the last 8 bytes (low-order 64 bits) of the 20-byte SHA-1 fingerprint.

That said, the v6 spec strongly discourages relying on Key IDs for identification — the full 32-byte fingerprint is preferred. The truncated Key ID exists mainly for backward compatibility in packet formats that have a fixed 8-byte key ID field (e.g., PKESK packets, Issuer Key ID subpackets), but v6 introduces alternatives that carry the full fingerprint instead (e.g., the Issuer Fingerprint subpacket replaces the Issuer Key ID subpacket).

@dralley dralley force-pushed the pqc-handling branch 4 times, most recently from a781aaf to 9c6f0ce Compare March 23, 2026 14:38
@dralley
Fix handling PQC Signatures (pysequoia)
b4971b1 
closes pulp#2237

Assisted-By: claude-opus-4.6
@dralley dralley mentioned this pull request Mar 23, 2026
Draft
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Post-Quantum Cryptography

1 participant

@dralley