Using second keyring may be misleading?

Georgi Guninski guninski at guninski.com
Thu Jun 14 16:10:29 CEST 2012 

I was investigating ubuntu's apt-key key management.

Noticed that collision in the keyids lead to strange results.

The first command claims ubuntu signed my key (false) and the second
shows the key is selfsigned.

Attached is a keyring and here is the output:

$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --check-sigs --keyring /tmp/sec3
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/home/joro2/.gnupg/pubring.gpg
------------------------------
pub   4096R/3F272F5B 2007-11-09
uid                  Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>
sig!3        3F272F5B 2007-11-09  Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>

/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k at k>
sig!3        B1C08810 2012-06-14  [User ID not found]
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster at ubuntu.com>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]

1 signature not checked due to a missing key


$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --no-default-keyring --check-sigs --keyring /tmp/sec3

gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k at k>
sig!3        B1C08810 2012-06-14  kkkkkkk5 <k at k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k at k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k at k>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k at k>
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k at k>


ubuntu's key importing is close to this, if interested check the bash
file "apt-key".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sec3
Type: application/octet-stream
Size: 2033 bytes
Desc: not available
URL: </pipermail/attachments/20120614/b47bd9af/attachment.obj>

More information about the Gnupg-devel mailing list