Multiple signatures after import.
David Shaw
dshaw@jabberwocky.com
Sun Apr 13 22:06:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Apr 13, 2003 at 12:00:32PM +0400, Yenot wrote:
> On Friday 11 April 2003 11:55 pm, David Shaw wrote:
> > On Wed, Apr 09, 2003 at 06:34:08PM +0400, Yenot wrote:
> > > I actually have seen this. It may not be related to the original
> > > poster's problem, but here's a way to create a UID with multiple
> > > self signatures (GnuPG 1.2.1):
> > >
> > > 1) edit one of your keys
> > > 2) add a new UID
> > > 3) add *the same* UID again (do not exit after step 2)
> > > 4) now exit
> > >
> > > GnuPG will merge the two UID's, but it will not merge the two self
> > > signatures.
> > >
> > > The signatures are in fact different, because their creation time
> > > is not identical. PGP 8.02 always retains such signatures, but
> > > GnuPG considers them duplicates and [usually] merges them.
> >
> > No. GnuPG will never remove a signature if it is not byte-for-byte
> > identical with an existing signature. Two signatures with two
> > different creation dates are not indentical and are not merged.
> >
> > The behavior you cite above is a feature, not a bug.
>
> I did some more testing. To me, it looks like GnuPG 1.2.1 *is*
> merging non byte-for-byte signatures -- but the result depends
> on the order of operations.
>
> For a test case, I've attached "bob1.asc" and "bob2.asc". Both
> files contain the same key for UID "bob@test.com". In both files
> there is a single self-signature on the UID, but the self-signature
> in "bob1.asc" has a creation date 13 seconds before the signature
> in "bob2.asc".
>
> gpg --import bob1.asc bob2.asc [Keeps both signatures.]
> gpg --import bob2.asc bob1.asc [Removes older signature in bob1.asc]
This is not signature merging. Given two valid self-signatures, GnuPG
will not import an older self-signature if a newer one is present.
(Even if it is present, the older of the two it is ignored.)
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+mb064mZch0nhy8kRAl4OAJ9fN7HYTN0lHORpUgSiyLlRUhDYOwCgynBZ
fTpx4kCqRmECO8MirL6VdDI=
=1M8N
-----END PGP SIGNATURE-----