Equivalent segments between different Fedora & RPM Fusion ASCII armored key blocks

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Dec 1 19:12:15 CET 2009


On 11/29/2009 04:51 PM, wavelength wrote:
> Can someone explain why large segments within the ASCII armored key blocks of
> Fedora 11 & 12 match? Attached below are the respective key blocks. Two
> matching regions between the blocks are highlighted with bold arrows.

These blocks are actually certificates, not just public keys -- that is,
each one contains a public key, one more more User IDs, and a signature
for each User ID from the public key, binding it to the given User ID.
The entire thing is Base64-encoded, but the User ID packets in there are
simple UTF-8 text (and the two certificates have very similar User IDs).

So the similar regions are most likely the regions of each certificate
that contains the User ID.

Try the following transformation on each key to see the internals in
ascii-ish form:

 grep '^[^-]' $KEYFILE | base64 -d | hd

search through the right-hand columns of the output for "fedora".

You might also be interested in breaking the certificate apart into its
component elements.  You can use gpgsplit for this.  Set KEYID to the
key you're interested in, and:

 mkdir $KEYID-parts && \
  (cd $KEYID-parts && gpg --export $KEYID | gpgsplit) && \
  ls -l $KEYID-parts

Compare the *.user_id pieces of each of each key to see how similar they
are.

> Also, what do the last 8 digits signify in the output below?
> 
> rpm -qa gpg-pubkey*
> 
> gpg-pubkey-16ca1a56-4a100959
> gpg-pubkey-57bbccba-4a6f97af

No idea.  These appear to be fedora package names, if my memory of rpm
is correct.  Perhaps you should ask this question on a fedora list?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091201/19261c83/attachment.pgp>


More information about the Gnupg-users mailing list