#
#
# add_dir "tests/duplicate_key_id"
# 
# add_file "tests/duplicate_key_id/bad_test_key"
#  content [0d6b727c4dfbd7e037daa87fbb11bb277467ebb8]
# 
# patch "NEWS"
#  from [830d7f355004247a6bdd8d872226e83d0be7bb85]
#    to [3975902db7de50d784b0661302fd793ed23671dc]
# 
# patch "cert.cc"
#  from [2e88ff620a6c09e14461f3d0e9d67ef0e1b8411d]
#    to [6a58e3628ddaa11c5dbcbab1eb93816c074849f6]
# 
# patch "cmd_list.cc"
#  from [622ac9ea93b781409604baa769cecad53a425e10]
#    to [b27cdb87d591d6a9059204ab2afccc7ee4672309]
#
============================================================
--- tests/duplicate_key_id/bad_test_key	0d6b727c4dfbd7e037daa87fbb11bb277467ebb8
+++ tests/duplicate_key_id/bad_test_key	0d6b727c4dfbd7e037daa87fbb11bb277467ebb8
@@ -0,0 +1,5 @@
+[pubkey address@hidden
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6yvo3L+AJ7AHWfcpH0CH5tGsCtm/ChgfL
+NM5UpMWEZSzYlVhaR5fE65dV4QujL8xTkV0FUJuDe3Omz+IArxYZpHZNQVS2inhMUt08cJxe
+fmP0fz3qmyMn1TZhyof6ksS4b4qt81nmjIYNFvQzupk0lq2gEqNbR8JlUMQkaQrWJQIDAQAB
+[end]
============================================================
--- NEWS	830d7f355004247a6bdd8d872226e83d0be7bb85
+++ NEWS	3975902db7de50d784b0661302fd793ed23671dc
@@ -14,6 +14,9 @@
         - mtn now warns if changes to a file will be ignored because
           the file has been deleted on one side of a merge.
 
+        - mtn now errors if your chosen private key doesn't match the public
+          key of the same name in your database.
+
         Internal
 
         - Update Botan to 1.7.2.
============================================================
--- cert.cc	2e88ff620a6c09e14461f3d0e9d67ef0e1b8411d
+++ cert.cc	6a58e3628ddaa11c5dbcbab1eb93816c074849f6
@@ -448,21 +448,32 @@ get_user_key(rsa_keypair_id & key, app_s
   if (app.opts.signing_key() != "")
     {
       key = app.opts.signing_key;
-      return;
     }
+  else if (app.lua.hook_get_branch_key(app.opts.branchname, key))
+    ; // the check also sets the key.
+  else
+    {
+      vector<rsa_keypair_id> all_privkeys;
+      app.keys.get_key_ids(all_privkeys);
+      N(!all_privkeys.empty(), 
+        F("you have no private key to make signatures with\n"
+          "perhaps you need to 'genkey <your email>'"));
+      N(all_privkeys.size() == 1,
+        F("you have multiple private keys\n"
+          "pick one to use for signatures by adding '-k<keyname>' to your command"));
+      key = all_privkeys[0];
+    }
 
-  if (app.lua.hook_get_branch_key(app.opts.branchname, key))
-    return;
-
-  vector<rsa_keypair_id> all_privkeys;
-  app.keys.get_key_ids(all_privkeys);
-  N(!all_privkeys.empty(), 
-    F("you have no private key to make signatures with\n"
-      "perhaps you need to 'genkey <your email>'"));
-  N(all_privkeys.size() == 1,
-    F("you have multiple private keys\n"
-      "pick one to use for signatures by adding '-k<keyname>' to your command"));
-  key = all_privkeys[0];
+  if (app.db.database_specified() && app.db.public_key_exists(key))
+    {
+      base64<rsa_pub_key> pub_key;
+      keypair priv_key;
+      app.db.get_key(key, pub_key);
+      app.keys.get_key_pair(key, priv_key);
+      E(keys_match(key, pub_key, key, priv_key.pub),
+        F("The key '%s' stored in your database does\n"
+          "not match the version in your local key store!") % key);
+    }
 }
 
 // Guess which branch is appropriate for a commit below IDENT.
============================================================
--- cmd_list.cc	622ac9ea93b781409604baa769cecad53a425e10
+++ cmd_list.cc	b27cdb87d591d6a9059204ab2afccc7ee4672309
@@ -178,6 +178,8 @@ CMD(keys, "keys", "", CMD_REF(list), "[P
        i != pubs.end(); i++)
     pubkeys[*i] = true;
 
+  set<rsa_keypair_id> bad_keys;
+
   bool all_in_db = true;
   for (vector<rsa_keypair_id>::const_iterator i = privkeys.begin();
        i != privkeys.end(); i++)
@@ -187,6 +189,16 @@ CMD(keys, "keys", "", CMD_REF(list), "[P
           pubkeys[*i] = false;
           all_in_db = false;
         }
+      else if (app.db.database_specified())
+        {
+          // we've found a key that should have both a public and a private version
+          base64<rsa_pub_key> pub_key;
+          keypair priv_key;
+          app.db.get_key(*i, pub_key);
+          app.keys.get_key_pair(*i, priv_key);
+          if (!keys_match(*i, pub_key, *i, priv_key.pub))
+            bad_keys.insert(*i);
+        }
     }
 
   if (pubkeys.size() > 0)
@@ -235,6 +247,16 @@ CMD(keys, "keys", "", CMD_REF(list), "[P
       cout << '\n';
     }
 
+  if (!bad_keys.empty())
+    {
+      W(F("Some keys in the database have the same ID as, "));
+      W(F("but different hashes to, keys in your local key store!"));
+      for (set<rsa_keypair_id>::const_iterator i = bad_keys.begin(); i != bad_keys.end(); i++)
+        {
+          W(F("Mismatched Key: %s") % *i);
+        }
+    }
+
   if (pubkeys.size() == 0 &&
       privkeys.size() == 0)
     {