Open pablocouto opened 7 years ago
I mainly agree with with bug report, and I read over the code, but it seems correct to me.
One theory: you did update your PGP key with your desktop machine on 12/16/2016. Are you positive you weren't reading that notification by mistake? My threaded email inbox view would collapse both emails in a way that might make this confusion possible.
(And BTW, you did two updates on 12/16/2016 too)
Thank you for looking into it. I checked my mailbox again, just in case; the emails correspond to the latest updates in the graph. They were received on 2017-03-07 at 01:13 and 11:39 CET, which fits with the proofs.
OK, cool, thanks for humoring me. I'll put a ticket in. I was hoping it was an obvious bug, but nothing jumped out at me. Thanks for giving this such a careful examination, we really appreciate it!
Just to keep you updated: I have done another update to my key and, this time, the notification email mentioned the correct signing device.
After updating one of my OpenPGP public keys from the command line, I got a confirmation email referring to the wrong device. From the email:
However, the device used to sign the update was a different one, as recorded in the proof payload:
where
kid
’s value corresponds to the devicelaptop-uab
.This happened again on a second update. It appears that these emails refer to the device originally used to upload a key, regardless of which one is used to sign an update.