verify output (was: Keyserver rejection filter and signing subkeys)

Werner Koch wk at gnupg.org
Wed Jul 30 17:35:08 CEST 2014


On Wed, 30 Jul 2014 14:52, kristian.fiskerstrand at sumptuouscapital.com
said:
> I was thinking more along the lines of

>   $ gpg --verify --with-fingerprint foo
>   gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID
> 77F95F95
>   gpg: Primary key fingerprint:
>   gpg:         8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
>   gpg: Subkey fingerprint:
>   gpg:         E4B8 68C8 F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95
>   gpg: Good signature from "Werner Koch <wk at gnupg.org>"

Ah yes.  However, is the subkey fingerprint really useful?  It may lead
to more confusion.  We usually try to hide the fact that there are
subkeys and present only the primary fingerprint.  What about this?


--8<---------------cut here---------------start------------->8---
gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID 77F95F95
gpg:   Key fingerprint = 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
gpg: Good signature from "Werner Koch <wk at gnupg.org>"
gpg:                 aka "Werner Koch <wk at g10code.com>"
gpg:                 aka "Werner Koch <werner  at eifzilla>"
--8<---------------cut here---------------end--------------->8---

or with the new algorithm info format:

--8<---------------cut here---------------start------------->8---
gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using dsa2048/77F95F95
gpg:     key fingerprint 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
gpg: Good signature from "Werner Koch <wk at gnupg.org>"
gpg:                 aka "Werner Koch <wk at g10code.com>"
gpg:                 aka "Werner Koch <werner  at eifzilla>"
--8<---------------cut here---------------end--------------->8---

or the one which looks best to me:

--8<---------------cut here---------------start------------->8---
gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using dsa2048/77F95F95
gpg: Good signature from "Werner Koch <wk at gnupg.org>"
gpg:                 aka "Werner Koch <wk at g10code.com>"
gpg:                 aka "Werner Koch <werner  at eifzilla>"
gpg:     key fingerprint 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
--8<---------------cut here---------------end--------------->8---

All of them will lead to the question why the keyid does not match the
fingerprint.  However, this can easiliy be explained in the FAQ.

Should we print the fingerprint if for a /BAD signature/, too?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list