v3/v4 keys - v3/v4 signatures

David Shaw dshaw@jabberwocky.com
Thu Jul 11 16:45:01 2002

On Thu, Jul 11, 2002 at 04:26:33PM +0200, Ivo Alxneit wrote:
> hi
> i generated my standard DSA/ElGamal key with gnupg 1.0.6 and probably
> had (inadvertedly) 'force-v3-sigs' in my options file. at least i have a
> v3 self-signature on my v4 key(v4 right?). why a v3 signature?
> 'force-v3-sigs' only affects data signatures but not key certificates.
> now i removed 'force-v3-sigs' from my options file and i found that
> whatever key i sign (i.e. certify) gets a v3 signature. is this correct?
> from the man pages i understand that a v4 key by default certifies keys
> with a v4 signature. 'force-v3-sigs' only affects signatures of data but
> not of keys. the only thing you can gnupg force to do is to sign a v3
> key with a v4 signature ('force-v4-certs').
> could anybody please clarify the behavior (or my misunderstanding)

When signing a key, v3 keys make v3 certs and v4 keys make v4 certs,
except when force-v4-certs is set or you are signing a v4 key with a
v3 key in which case make a v4 cert always.

When signing data, v3 keys make v3 sigs, and v4 keys make v4 sigs,
except when force-v3-sigs is set in which case make a v3 sig always.

If you are seeing behavior other than that, I'd be interested in the
details.  Are you sure your v4 key has a v3 selfsig?  I fetched it
from the keyserver and checked - at least the copy there has v4

Is it possible you are looking at the number after the "sig" in a key

sig 3       515E30C7 2002-02-11   Ivo Alxneit.....

That "3" doesn't mean v3.  It means "very carefully checked".  All
selfsigs in GnuPG are level 3, as you can usually trust that you are
yourself when signing your own key ;)


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson