keyoxide/keyoxide-web
26
329
Fork
You've already forked keyoxide-web
39

Outdated claims #161

Closed
opened 2023年03月26日 13:25:29 +02:00 by gonz0 · 7 comments

I have updated the claims in my key. I don't see that reflected on keyoxide though.

I debugged the issue up to the point I see my key has two self certifications, one dated 2020 and the newest one 2023. doipjs seems to be returning the first one instead of the latest.

src/server/keys.js puts the result of readKey in output.publicKey. Here, the new claim is still readable (i'll be doing a lot of trimming not to pollute the issue. This is all public information found in my PGP key anyways)

bu {
 created: 2020-07-16T19:11:15.000Z,
 rawNotations: [
 {
 name: 'proof@metacode.biz',
 },
 {
 name: 'proof@metacode.biz',
 },
 {
 name: 'proof@metacode.biz',
 }
 ],
bu {
 created: 2023-03-26T07:48:58.000Z,
 rawNotations: [
 {
 name: 'proof@ariadne.id',
 },
 {
 name: 'proof@metacode.biz',
 },
 {
 name: 'proof@metacode.biz',
 },
 {
 name: 'proof@metacode.biz',
 }
 ],
}

Later on, on index.js this object goes through doipjs processing and only the old claims come out:

[
 Claim {
 _uri: 'https://twitter.com/gonz0comar/status/1283839550394109955',
 _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825',
 },
 Claim {
 _uri: 'https://gist.github.com/gonzalob/be4d68b5dee5caa6bc79eaf5cf9ce8c3',
 _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825',
 },
 Claim {
 _uri: 'dns:gonz0.com.ar?type=TXT',
 _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825',
 }
]

These notation modifications were made following this doc: https://docs.keyoxide.org/guides/openpgp-profile-gnupg/

and the key shows only the expected notations:

 Notations: proof@metacode.biz=https://twitter.com/gonz0comar/status/1283839550394109955
 proof@metacode.biz=https://gist.github.com/gonzalob/be4d68b5dee5caa6bc79eaf5cf9ce8c3
 proof@metacode.biz=dns:gonz0.com.ar?type=TXT
 proof@ariadne.id=https://t.me/gonzalob?proof=f29d7f2863774c778d8695bac4d0

This is even more noticeable if the photo ID user is used as test case, as I emptied the notations there but they're still visible on keyoxide.

Thanks! And of course I'm available for any additional information I can provide.

I have updated the claims in my key. I don't see that reflected on keyoxide though. I debugged the issue up to the point I see my key has two self certifications, one dated 2020 and the newest one 2023. doipjs seems to be returning the first one instead of the latest. src/server/keys.js puts the result of readKey in output.publicKey. Here, the new claim is still readable (i'll be doing a lot of trimming not to pollute the issue. This is all public information found in my PGP key anyways) ```javascript bu { created: 2020年07月16日T19:11:15.000Z, rawNotations: [ { name: 'proof@metacode.biz', }, { name: 'proof@metacode.biz', }, { name: 'proof@metacode.biz', } ], bu { created: 2023年03月26日T07:48:58.000Z, rawNotations: [ { name: 'proof@ariadne.id', }, { name: 'proof@metacode.biz', }, { name: 'proof@metacode.biz', }, { name: 'proof@metacode.biz', } ], } ``` Later on, on index.js this object goes through doipjs processing and only the old claims come out: ```javascript [ Claim { _uri: 'https://twitter.com/gonz0comar/status/1283839550394109955', _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825', }, Claim { _uri: 'https://gist.github.com/gonzalob/be4d68b5dee5caa6bc79eaf5cf9ce8c3', _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825', }, Claim { _uri: 'dns:gonz0.com.ar?type=TXT', _fingerprint: '607d555b2b11b1b3916acbde31e5fe63e2fc4825', } ] ``` These notation modifications were made following this doc: https://docs.keyoxide.org/guides/openpgp-profile-gnupg/ and the key shows only the expected notations: ``` Notations: proof@metacode.biz=https://twitter.com/gonz0comar/status/1283839550394109955 proof@metacode.biz=https://gist.github.com/gonzalob/be4d68b5dee5caa6bc79eaf5cf9ce8c3 proof@metacode.biz=dns:gonz0.com.ar?type=TXT proof@ariadne.id=https://t.me/gonzalob?proof=f29d7f2863774c778d8695bac4d0 ``` This is even more noticeable if the photo ID user is used as test case, as I emptied the notations there but they're still visible on keyoxide. Thanks! And of course I'm available for any additional information I can provide.

Did you follow the Telegram-specific guide to create the Telegram proof?

Did you follow the [Telegram-specific guide](https://docs.keyoxide.org/service-providers/telegram/) to create the Telegram proof?
Author
Copy link

The issue is with notations on the key, and the fact that keyoxide is not getting the updated ones. I didn't get to check the telegram proof yet. Even so, I did follow that doc to create that specific one, yes.

The issue is with notations on the key, and the fact that keyoxide is not getting the updated ones. I didn't get to check the telegram proof yet. Even so, I did follow that doc to create that specific one, yes.
Author
Copy link

I didn't get to debug so far, but I see that doipjs gets the first selfCertification:

const notations = user.selfCertifications[0].rawNotations

I guess it should find the newest one instead.

I didn't get to debug so far, but I see that doipjs gets the first selfCertification: https://codeberg.org/keyoxide/doipjs/src/commit/e3392431d1cc20e78ccd003e2bf79aa3dcf78260/src/keys.js#L188 I guess it should find the newest one instead.
Author
Copy link

I got it working with this patch, but have no permissions to push on doipjs to provide a pull request:

diff --git a/src/keys.js b/src/keys.js
index bb62e4a..12ee7d0 100644
--- a/src/keys.js
+++ b/src/keys.js
@@ -283,7 +283,7 @@ const process = async (publicKey) => {
 }
 
 if ('selfCertifications' in user && user.selfCertifications.length > 0) {
- const selfCertification = user.selfCertifications[0]
+ const selfCertification = user.selfCertifications.sort((e1, e2) => e2.created - e1.created)[0]
 
 const notations = selfCertification.rawNotations
 usersOutput[i].claims = notations 
I got it working with this patch, but have no permissions to push on doipjs to provide a pull request: ```diff diff --git a/src/keys.js b/src/keys.js index bb62e4a..12ee7d0 100644 --- a/src/keys.js +++ b/src/keys.js @@ -283,7 +283,7 @@ const process = async (publicKey) => { } if ('selfCertifications' in user && user.selfCertifications.length > 0) { - const selfCertification = user.selfCertifications[0] + const selfCertification = user.selfCertifications.sort((e1, e2) => e2.created - e1.created)[0] const notations = selfCertification.rawNotations usersOutput[i].claims = notations ```
Author
Copy link

I have a user-side fix/workaround for this. if the key is exported with the minimal option, this works as-is, I guess because old notations are not exported.

From https://www.gnupg.org/documentation/manuals/gnupg/GPG-Input-and-Output.html

export-minimal
Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" before export except that the local copy of the key is not modified. Defaults to no.

I have a user-side fix/workaround for this. if the key is exported with the minimal option, this works as-is, I guess because old notations are not exported. From https://www.gnupg.org/documentation/manuals/gnupg/GPG-Input-and-Output.html > export-minimal > Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" before export except that the local copy of the key is not modified. Defaults to no.
Owner
Copy link

Thanks for looking into this. I remember doing some quick testing a few years ago and the selfCertifications were always already in chronological order. Still, your solution is what should have been applied: just sort to make sure the order is correct.

Doing some testing and then I will commit the change.

Thanks for looking into this. I remember doing some quick testing a few years ago and the selfCertifications were always already in chronological order. Still, your solution is what should have been applied: just sort to make sure the order is correct. Doing some testing and then I will commit the change.
Owner
Copy link

Ok, so this change made no difference for my keys, which is a good thing because indeed, for some reason my selfCertifications are in the right order from the start. But this change will fix the order for those keys that don't have the selfCertifications in the correct order.

Fixed with keyoxide/doipjs@d069569b32

Ok, so this change made no difference for my keys, which is a good thing because indeed, for some reason my selfCertifications are in the right order from the start. But this change will fix the order for those keys that don't have the selfCertifications in the correct order. Fixed with https://codeberg.org/keyoxide/doipjs/commit/d069569b3273a54c3400bae308792a5b85029db5
Sign in to join this conversation.
No Branch/Tag specified
main
dev
redesign-2023
add-logging
5.1.0
5.0.1
5.0.0
5.0.0-rc.1
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.6.4
3.6.3
3.6.2
3.6.1
3.6.0
3.5.2
3.5.1
3.5.0
3.4.18
3.4.17
3.4.16
3.4.15
3.4.14
3.4.13
3.4.12
3.4.11
3.4.10
3.4.9
3.4.8
3.4.7
3.4.6
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4.0
3.3.1
3.3.0
3.2.0
3.1.1
3.1.0
3.0.4
3.0.3
3.0.2
3.0.1
3.0.0
2.5.0
2.4.2
2.4.1
2.4.0
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.8
2.2.7
2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.1
2.1.0
2.0.2
2.0.1
2.0.0
2.0.0-rc.3
2.0.0-rc.2
2.0.0-rc.1
1.0.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels
bug
Something is not working

Archived

contribution welcome
Contributions are very welcome, get started here

Archived

enhancement
New feature

Archived

good first issue
Interested in contributing? Get started here.

Archived

Contribution welcome
Get started contributing here
Good first issue
Good if you are new to the project or to open source contributions
Impact
External
Affects the people using the project
Impact
Internal
Affects on the people working on the project
Priority
Critical
Work on right now
Priority
High
Work on at earliest convenience
Priority
Low
Work on in spare time
Priority
Medium
Work on regularly
Review
Duplicate
Already exists
Review
Off Topic
Does not fall within the scope of the repo/project
Status
Backlog
Is not being worked on yet
Status
Blocked
Is waiting on something or someone
Status
Completed
Is done
Status
In Progress
Is being worked on
Status
Investigating
Is waiting on research or questions
Status
Needs Decision
Is waiting on a decision by the devs/contributors
Status
Needs Info
Is waiting on additional information before it can be solved
Status
Needs Triage
Is new issue that needs reviewing
Status
Testing
Is being checked and verified
Status
Waiting For Review
Is waiting on reviewers to approve
Status
Won't Fix
Won't be fixed
Type
Bug
Related to something not working as intended
Type
CI
Related to continuous integration
Type
Documentation
Related to documentation
Type
Enhancement
Related to a new feature or an improved one
Type
New Claim
Related to a new identity claim/proof
Type
Security
Related to security
Type
Tests
Related to code tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
keyoxide/keyoxide-web#161
Reference in a new issue
keyoxide/keyoxide-web
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?