--verify --always-trust --with-fingerprint broken?

Neil Williams linux@codehelp.co.uk
Sun Apr 20 14:19:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 20 Apr 2003 1:18 am, Jason Harris wrote:
> %gpg --verify --always-trust --with-fingerprint <signature file>
>
> seems to always report:
>
> Primary key fingerprint: 0E07 7F87 83C2 06C6 02FD  7EF7 9323 84EE BAB6 B3BC
>
> regardless of the signing key (GPG 1.2.1).

If you have a secret key available, rather than using --always-trust to drop 
the warnings, would it be better to locally sign the key used in the 
signature file?

I've tested it on local systems and I agree, if no secret key is available, 
the only way to get an accurate fingerprint is to omit the --always-trust and 
just put up with the warning.

$ gpg --with-fingerprint gpgme-0.3.15.tar.gz.sig
gpg: Signature made Tue 18 Feb 2003 18:27:09 GMT using DSA key ID 87978569
gpg: Good signature from "Marcus Brinkmann <mb@g10code.com>"
gpg:                 aka "Marcus Brinkmann"
gpg:                 aka "Marcus Brinkmann <mb@g10code.de>"
gpg:                 aka "Marcus Brinkmann <brinkmd@debian.org>"
gpg:                 aka "Marcus Brinkmann 
<Marcus.Brinkmann@ruhr-uni-bochum.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 1411 9889 4E27 D44F 7084  F098 C0A4 CBB9 8797 8569

$ gpg --always-trust --with-fingerprint gpgme-0.3.15.tar.gz.sig
gpg: Signature made Tue 18 Feb 2003 18:27:09 GMT using DSA key ID 87978569
gpg: Good signature from "Marcus Brinkmann <mb@g10code.com>"
gpg:                 aka "Marcus Brinkmann"
gpg:                 aka "Marcus Brinkmann <mb@g10code.de>"
gpg:                 aka "Marcus Brinkmann <brinkmd@debian.org>"
gpg:                 aka "Marcus Brinkmann 
<Marcus.Brinkmann@ruhr-uni-bochum.de>"
gpg: WARNING: Using untrusted key!
Fingerprint: 0E07 7F87 83C2 06C6 02FD  7EF7 9323 84EE BAB6 B3BC

$ gpg --fingerprint 0x87978569
pub  1024D/87978569 1999-05-13 Marcus Brinkmann <mb@g10code.com>
     Key fingerprint = 1411 9889 4E27 D44F 7084  F098 C0A4 CBB9 8797 8569
uid                            Marcus Brinkmann
uid                            Marcus Brinkmann <mb@g10code.de>
uid                            Marcus Brinkmann <brinkmd@debian.org>
uid                            Marcus Brinkmann 
<Marcus.Brinkmann@ruhr-uni-bochum.de>
sub  2048g/C3AF90C1 1999-05-13

So who's fingerprint is:
Fingerprint: 0E07 7F87 83C2 06C6 02FD  7EF7 9323 84EE BAB6 B3BC

It's not one of mine!
0xA897FD02:
744C 978D 7AB8 F27B 3BA6  C101 93B0 D5AF A897 FD02
0x28BCB3E3:
4CD4 6644 C105 48ED CA28  EC36 8801 094A 28BC B3E3

$ gpg --list-keys --with-fingerprint | grep "744C 978D 7AB8 F27B 3BA6  C101 
93B0 D5AF A897 FD02"
     Key fingerprint = 744C 978D 7AB8 F27B 3BA6  C101 93B0 D5AF A897 FD02

 gpg --list-keys --with-fingerprint | grep "0E07 7F87 83C2 06C6 02FD  7EF7 
9323 84EE BAB6 B3BC"

No output.
(With 94 keys in the public ring including Marcus Brinkmann, Werner Koch etc. 
and most of those on this list who use signatures in email.)

???

- -- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+opB0iAEJSii8s+MRAg/1AJ9dUiI7hgncMUBB9u0yKoYoiF0X/gCfVlLb
fjTPe446zKXxbGdqnWNUMII=
=H1mZ
-----END PGP SIGNATURE-----