From b1be7d1202883f77b1ee44bc788e39fdf7b5db7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Obernd=C3=B6rfer?= <thomas@mailvelope.com>
Date: Thu, 28 Feb 2019 19:34:46 +0100
Subject: [PATCH] Fix merging multiple subkey binding signatures (#868)

---
 src/key.js          |  4 ++--
 test/general/key.js | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/key.js b/src/key.js
index b2feeb40..0e83de6b 100644
--- a/src/key.js
+++ b/src/key.js
@@ -1183,10 +1183,10 @@ SubKey.prototype.update = async function(subKey, primaryKey) {
     }
     for (let i = 0; i < that.bindingSignatures.length; i++) {
       if (that.bindingSignatures[i].issuerKeyId.equals(srcBindSig.issuerKeyId)) {
-        if (srcBindSig.created < that.bindingSignatures[i].created) {
+        if (srcBindSig.created > that.bindingSignatures[i].created) {
           that.bindingSignatures[i] = srcBindSig;
-          return false;
         }
+        return false;
       }
     }
     return true;
diff --git a/test/general/key.js b/test/general/key.js
index 7216ec7e..00d01caa 100644
--- a/test/general/key.js
+++ b/test/general/key.js
@@ -2413,6 +2413,20 @@ describe('Key', function() {
     });
   });
 
+  it('update() - merge multiple subkey binding signatures', async function() {
+    const source = (await openpgp.key.readArmored(multipleBindingSignatures)).keys[0];
+    const dest = (await openpgp.key.readArmored(multipleBindingSignatures)).keys[0];
+    // remove last subkey binding signature of destination subkey
+    dest.subKeys[0].bindingSignatures.length = 1;
+    expect((await source.subKeys[0].getExpirationTime(source.primaryKey)).toISOString()).to.equal('2015-10-18T07:41:30.000Z');
+    expect((await dest.subKeys[0].getExpirationTime(dest.primaryKey)).toISOString()).to.equal('2018-09-07T06:03:37.000Z');
+    return dest.update(source).then(async () => {
+      expect(dest.subKeys[0].bindingSignatures.length).to.equal(1);
+      // destination key gets new expiration date from source key which has newer subkey binding signature
+      expect((await dest.subKeys[0].getExpirationTime(dest.primaryKey)).toISOString()).to.equal('2015-10-18T07:41:30.000Z');
+    });
+  });
+
   it('revoke() - primary key', async function() {
     const privKey = (await openpgp.key.readArmored(priv_key_arm2)).keys[0];
     await privKey.decrypt('hello world');