Multiple signatures after import.
Yenot
yenot@sec.to
Wed Apr 9 16:40:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 03 April 2003 08:15 pm, David Shaw wrote:
> On Tue, Mar 25, 2003 at 06:59:11PM +0100, Janusz A. Urbanowicz wrote:
> > On Tue, Mar 25, 2003 at 12:34:18PM -0500, David Shaw wrote:
> > > On Tue, Mar 25, 2003 at 02:24:24PM +0100, Janusz A. Urbanowicz wrote:
> > > > Lately I organized a small keysigning party for a local user group.
> > > > After I gathered all the signatures on my key, the self-signs on the
> > > > key are duplicated (this is the output of gpg -kvv):
> > >
> > > GnuPG doesn't trim duplicates on newly imported keys - only on merged
> > > keys (i.e. if you already have the key in your keyring). How did you
> > > gather the signatures to make this key in the first place?
> >
> > I made a clean gnupg home dir, imported keys of participants, then
> > reimported keys as they was coming back from people, with new signatures.
> > This was done on ten on twenty launches of gpg command with given home.
> >
> > It looks like it merged my key as it come from various people with new
> > sigs - without removing the duplicates.
>
> I don't suppose you can duplicate this problem? I've been trying, and
> I can't do it here without manually creating such a key with gpgsplit.
I actually have seen this. It may not be related to the original
poster's problem, but here's a way to create a UID with multiple
self signatures (GnuPG 1.2.1):
1) edit one of your keys
2) add a new UID
3) add *the same* UID again (do not exit after step 2)
4) now exit
GnuPG will merge the two UID's, but it will not merge the two self
signatures.
The signatures are in fact different, because their creation time
is not identical. PGP 8.02 always retains such signatures, but
GnuPG considers them duplicates and [usually] merges them. Since
the creation date showed in commercial PGP doesn't include
hours/minutes, the end user cannot tell that the signatures are
not identical if they were created on the same day. The problem
in GnuPG is the same, in the above example.
- Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+lC9jP247TY29IxARAiEfAJ44WimsjvvDFETytC8uQTUOPpZPWwCfZHpl
SSSSkq0Zx1Hq6F5FB88L79g=
=Z+9P
-----END PGP SIGNATURE-----