Key.getSigningKey: prefer private decrypted (sub)keys

If dummy or public (sub)key packets are present alongside secret ones, the latter are now selected first, regardless of creation date.
2025-11-27 15:53:51 +00:00 · 2024-08-16 13:47:12 +02:00 · 2024-08-16 13:47:12 +02:00 · 36308615ad
commit 36308615ad
parent 1f574e0df7
1 changed files with 7 additions and 1 deletions
--- a/src/key/key.js
+++ b/src/key/key.js
@ -273,7 +273,13 @@ class Key {
    } catch (err) {
      throw util.wrapError('Could not verify primary key', err);
    }
-    const subkeys = this.subkeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);
+    const subkeys = this.subkeys.slice().sort((a, b) => {
+      const aIsPrivate = a.isDecrypted() !== null && !a.isDummy();
+      const bIsPrivate = b.isDecrypted() !== null && !b.isDummy();
+      const diffIsPrivate = bIsPrivate - aIsPrivate;
+      // return non-dummy private (sub)keys first
+      return diffIsPrivate !== 0 ? diffIsPrivate : b.keyPacket.created - a.keyPacket.created;
+    });
    let exception;
    for (const subkey of subkeys) {
      if (!keyID || subkey.getKeyID().equals(keyID)) {