NowpPublishing fedora developer PGP keys in DNSSEC

Björn Persson Bjorn at
Mon Feb 2 05:18:50 UTC 2015

Paul Wouters wrote:
>On Sun, 1 Feb 2015, Björn Persson wrote:
>> Paul Wouters wrote:
>>> paul at bofh:~$ openpgpkey --fetch pwouters at
>> openpgpkey: /var/lib/unbound/root.anchor is not a file. Unable to use
>> it as rootanchor
>> Huh?
>turns out a bug in %post of unbound-libs. I pushed a fix into rawhide.
>I've also made openpgpkey smarter so it looks for more file locations
>for the root.anchor or root.key file. I'll push that upstream.

Thanks. Meanwhile a Cron job seems to have created root.anchor, so now
I get this output:

$ openpgpkey --fetch Bjorn at
openpgpkey: Received OpenPGP data does not contain a key with keyid Bjorn at
(add --uid <uid> to override with any of the below received uids)
# Björn Persson <Bjorn at Rombobjö>
# Björn Persson <Bjorn at>

Besides the lack of IDNA, this shows another character encoding bug. The
UIDs on the key are encoded in UTF-8, and my locale also uses UTF-8, so
no transcoding should be needed, but somewhere along the way the strings
get erroneously interpreted as an 8-bit encoding, probably ISO 8859-1,
and then transcoded from that to UTF-8.

>> Traceback (most recent call last):
>>  File "/usr/bin/openpgpkey", line 189, in <module>
>>    if "<%s>" in uid:
>> UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position
>> 14: ordinal not in range(128)
>I'll work on adding punycode support :)
>(the LHS does not matter, we just sha224 whatever you give us)

Don't you need to ensure that the local part is encoded in UTF-8 per
RFC 6530 before you hash it, in case the user's locale uses another

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <>

More information about the devel mailing list