Bug 186963

Summary: how to sign CLA with subkey
Product: [Retired] Fedora Infrastructure Reporter: Karsten Wade <kwade>
Component: Account SystemAssignee: Mike McGrath <imlinux>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleher, nman64
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://fedoraproject.org/wiki/Infrastructure/AccountSystem/CLAHowTo
Whiteboard:
Fixed In Version: FAS2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-17 18:00:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karsten Wade 2006-03-27 18:44:20 UTC
We likely need to update the email you send people in the CLA process as well as
the Wiki pages online; or maybe the email has a pointer to the Wiki, which can
have all kind of exceptions and use-cases resolved.

## begin email from Thomas Bleher
I tried to get an Fedora account and had real difficulties signing the
CLA so the script would accept it. I finally managed to do it and am
writing you so you can either fix the script or amend the documentation.

My key looks like this:
$ gpg --list-keys 'Thomas Bleher'
pub   1024D/B2F4ABE7 2004-01-30
uid                  Thomas Bleher <ThomasBleher>
uid                  Thomas Bleher <thomas.bleher.de>
uid                  Thomas Bleher <bleher.de>
uid                  Thomas Bleher (Used for Archive Signing) <tbleher>
sub   1024g/2A40FB55 2004-01-30
sub   1024D/5314F77F 2004-02-18

Notice the subkey. Normally I use 5314F77F to sign everything. But the
script would always deny my request (I tried specifying both 5314F77F and
B2F4ABE7 as my GPG key on the "Edit Account" page but it didn't make a
difference).
It finally worked after I told gpg explicitly to sign the message with
my main key:
$ gpg -a -u B2F4ABE7! --sign fedora-icla-tbleher.txt
(Notice the ! which tells gpg that exactly this key should be used).

Comment 1 Thomas Bleher 2006-03-27 21:21:28 UTC
It would also be helpful if the reject mail included some information why the 
signature failed to verify (the gpg command line and output would already help 
a lot in some cases); in my case I first had a buggy gpg version which 
produced invalid output (--clearsign worked but -a --sign did not) - if the 
command output were included in the returned mail it would have been easier to 
figure out the problem. 

Comment 2 Ricky Zhou 2008-03-17 18:00:42 UTC
This problem should no longer exist in FAS2 (since GPG signed emails are no
longer required).