From 36308615adcc380d688c3866d59d40bebac2e7c7 Mon Sep 17 00:00:00 2001
From: larabr <7375870+larabr@users.noreply.github.com>
Date: Fri, 16 Aug 2024 13:47:12 +0200
Subject: [PATCH] `Key.getSigningKey`: prefer private decrypted (sub)keys

If dummy or public (sub)key packets are present alongside secret ones,
the latter are now selected first, regardless of creation date.
---
 src/key/key.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/key/key.js b/src/key/key.js
index b99d94ad..0fd87662 100644
--- a/src/key/key.js
+++ b/src/key/key.js
@@ -273,7 +273,13 @@ class Key {
     } catch (err) {
       throw util.wrapError('Could not verify primary key', err);
     }
-    const subkeys = this.subkeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);
+    const subkeys = this.subkeys.slice().sort((a, b) => {
+      const aIsPrivate = a.isDecrypted() !== null && !a.isDummy();
+      const bIsPrivate = b.isDecrypted() !== null && !b.isDummy();
+      const diffIsPrivate = bIsPrivate - aIsPrivate;
+      // return non-dummy private (sub)keys first
+      return diffIsPrivate !== 0 ? diffIsPrivate : b.keyPacket.created - a.keyPacket.created;
+    });
     let exception;
     for (const subkey of subkeys) {
       if (!keyID || subkey.getKeyID().equals(keyID)) {