public key import issue

Bernard bht at
Mon Nov 24 11:09:11 CET 2003


GNUPG allows me to import multiple duplicate public keys with
different fingerprints.

If an application requests encryption for a key that has duplicates in
the GNUPG keyring, then it is not clear which of these duplicates
GNUPG uses for encryption.

It appears from my experience that GNUPG selects the duplicates
randomly, e.g. in case of two duplicates, it sometimes uses the old
key and other times it uses the new key. What causes this randomness
is not clear to me. Maybe this is a system clock issue.

The result can be such as the recipient cannot decrypt the message
because it does either not have the passphrase or it does not have the
entire private key that belongs to the (old) duplicate public key that
was used by the sender.
In my case, the recipient did not have the passphrase.

This can cause disaster.

Is this a known issue?


More information about the Gnupg-devel mailing list