keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
900 stars 37 forks source link

OpenPGP key update notification email refers to the wrong signing device #2896

Open pablocouto opened 7 years ago

pablocouto commented 7 years ago

After updating one of my OpenPGP public keys from the command line, I got a confirmation email referring to the wrong device. From the email:

PGP key updated!

You just updated 28A8 F8D3 3491 1B02 55D8 F334 81FD DC30 10CF D9F6.

You performed this action by signing a statement with desktop, […]

However, the device used to sign the update was a different one, as recorded in the proof payload:

      "kid": "012089ad5aa5889935f51ebd90b160f96c72a98b4c4db13b1c378b1f170cf158a4810a",

where kid’s value corresponds to the device laptop-uab.

This happened again on a second update. It appears that these emails refer to the device originally used to upload a key, regardless of which one is used to sign an update.

maxtaco commented 7 years ago

I mainly agree with with bug report, and I read over the code, but it seems correct to me.

One theory: you did update your PGP key with your desktop machine on 12/16/2016. Are you positive you weren't reading that notification by mistake? My threaded email inbox view would collapse both emails in a way that might make this confusion possible.

(And BTW, you did two updates on 12/16/2016 too)

pablocouto commented 7 years ago

Thank you for looking into it. I checked my mailbox again, just in case; the emails correspond to the latest updates in the graph. They were received on 2017-03-07 at 01:13 and 11:39 CET, which fits with the proofs.

maxtaco commented 7 years ago

OK, cool, thanks for humoring me. I'll put a ticket in. I was hoping it was an obvious bug, but nothing jumped out at me. Thanks for giving this such a careful examination, we really appreciate it!

pablocouto commented 7 years ago

Just to keep you updated: I have done another update to my key and, this time, the notification email mentioned the correct signing device.