Multiple signatures after import.
yenot at sec.to
Wed Apr 9 17:40:02 CEST 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 03 April 2003 08:15 pm, David Shaw wrote:
> On Tue, Mar 25, 2003 at 06:59:11PM +0100, Janusz A. Urbanowicz wrote:
> > On Tue, Mar 25, 2003 at 12:34:18PM -0500, David Shaw wrote:
> > > On Tue, Mar 25, 2003 at 02:24:24PM +0100, Janusz A. Urbanowicz wrote:
> > > > Lately I organized a small keysigning party for a local user group.
> > > > After I gathered all the signatures on my key, the self-signs on the
> > > > key are duplicated (this is the output of gpg -kvv):
> > >
> > > GnuPG doesn't trim duplicates on newly imported keys - only on merged
> > > keys (i.e. if you already have the key in your keyring). How did you
> > > gather the signatures to make this key in the first place?
> > I made a clean gnupg home dir, imported keys of participants, then
> > reimported keys as they was coming back from people, with new signatures.
> > This was done on ten on twenty launches of gpg command with given home.
> > It looks like it merged my key as it come from various people with new
> > sigs - without removing the duplicates.
> I don't suppose you can duplicate this problem? I've been trying, and
> I can't do it here without manually creating such a key with gpgsplit.
I actually have seen this. It may not be related to the original
poster's problem, but here's a way to create a UID with multiple
self signatures (GnuPG 1.2.1):
1) edit one of your keys
2) add a new UID
3) add *the same* UID again (do not exit after step 2)
4) now exit
GnuPG will merge the two UID's, but it will not merge the two self
The signatures are in fact different, because their creation time
is not identical. PGP 8.02 always retains such signatures, but
GnuPG considers them duplicates and [usually] merges them. Since
the creation date showed in commercial PGP doesn't include
hours/minutes, the end user cannot tell that the signatures are
not identical if they were created on the same day. The problem
in GnuPG is the same, in the above example.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-devel