Warning: Key export fails if primary uid has been changed

Ingo Klöcker ingo.kloecker@epost.de
Thu Sep 27 01:36:01 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I just played around a little bit with the development version GnuPG
1.0.6a. I used it to change my primary user id.
But now exporting my key doesn't work anymore correctly with the last 
stable version of GnuPG while it does work correctly with the 
development version.

Export with development version (1.0.6a):
ingo@erwin:~ > test/bin/gpg --export --armor 0x30E0B9D8 >0x30E0B9D8.1.0.6a.asc
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
ingo@erwin:~ > gpg --verbose 0x30E0B9D8.1.0.6a.asc
gpg: armor header: Version: GnuPG v1.0.6a (GNU/Linux)
pub  1024D/30E0B9D8 2000-10-16 Ingo Klöcker <ingo.kloecker@epost.de>
sig        30E0B9D8 2000-10-16   [selfsig]
sig        AC0EB35D 2000-10-16   Ingo Kloecker <ingo@matha.rwth-aachen.de
>

[snip]

Export with stable version (1.0.6):
ingo@erwin:~ > gpg --export --armor 0x30E0B9D8 >0x30E0B9D8.1.0.6.asc
ingo@erwin:~ > gpg --verbose 0x30E0B9D8.1.0.6.asc
gpg: armor header: Version: GnuPG v1.0.6 (GNU/Linux)
gpg: armor header: Comment: For info see http://www.gnupg.org
pub  1024D/30E0B9D8 2000-10-16 Ingo Klöcker <ingo.kloecker@epost.de>
sig        30E00910 2000-10-16   [User id not found]
sig        AC0EB35D 2000-10-16   Ingo Kloecker <ingo@matha.rwth-aachen.de
>

[snip]

As you can see the self signature on the primary user id is broken 
resp. the key id is wrong. The self signatures on all other user ids 
are not affected.

If one uses 'gpg -vv' one gets the following difference:
ingo@erwin:~ > diff 0x30E0B9D8.106.gpg-vv 0x30E0B9D8.106a.gpg-vv
8c8
< :signature packet: algo 17, keyid 1A747E4530E00910
- ---

> :signature packet: algo 17, keyid 1A747E4530E0B9D8

17c17
<       subpkt 16 len 9 (issuer key ID 1A747E4530E00910)
- ---

>       subpkt 16 len 9 (issuer key ID 1A747E4530E0B9D8)

141c141
< sig        30E00910 2000-10-16   [User id not found]
- ---

> sig        30E0B9D8 2000-10-16   [selfsig]


So everybody who has used the development version of GnuPG to change 
the primary user id of his key shouldn't use an older version of GnuPG 
afterwards to export or upload the changed key to a keyserver.

This bug is reproducable:
a) Create a new key with 1.0.6.
b) Add a 2nd uid with 1.0.6. Now the 2nd uid is the primary uid.
c) Use 1.0.6a to make the 1st uid the primary uid.
d) Export the changed key with 1.0.6 and 1.0.6a and note the difference.

Remark:
The wrong key id in my test to reproduce this bug also ended with 
0x0910. So the last two bytes of the key id of the self signature seem 
to be overwritten by 0x0910 for some reason.

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7smYkGnR+RTDgudgRAgvSAJ4q3xcSLmYfUksMcTkTouM3Mh0CdACeMvD9
RyFTWsX+TuBYHJ4bqJgnnJs=
=v7rG
-----END PGP SIGNATURE-----