Trouble signing (was: Trouble exporting keys)
Fri May 16 00:20:36 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 15 May 2003 6:18 pm, Daniel Carrera wrote:
> I'll revoke my current key later today, and start over with a 4096-bit RSA
> primary signing key. Later I'll create a 1024-bit DSA key and a 2048-bit
> ElGamal key. And this will do exactly what I want:
> - Long-term security through the 4096-bit primary key.
> - GPG defaults to DSA for signing.
> - If I ever want more security, I can use ! to sign with the RSA.
I haven't revoked any keys, just started with a completely new one, generated
exactly as above. 4096 RSA, 1024 DSA and 2048 ElGamal. (I added a photoid
for fun too but generating that 4096RSA took an age!!)
pub 4096R/48C5F366 2003-05-15 Neil Williams <email@example.com>
uid [image of size 4569]
sub 1024D/F3C504D8 2003-05-15 [expires: 2004-05-14]
sub 2048g/E819E0B7 2003-05-15 [expires: 2004-05-14]
(A test key only - this will never reach a keyserver or be used on public
Did you mean signing documents / emails with the DSA?
gpg -u f3c504d8 --detach --sign lug.sql
gpg --verify lug.sql.sig
gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8
gpg: Good signature from "Neil Williams <firstname.lastname@example.org>"
gpg: aka "[image of size 4569]"
But I couldn't get it to work for keysigning.
gpg -u f3c504d8! --sign-key a897fd02
gpg -u f3c504d8 --sign-key a897fd02
Makes no odds:
pub 1024D/A897FD02 2002-01-27 Neil Williams (laptop) <email@example.com>
sig!3 A897FD02 2002-01-27 Neil Williams (laptop)
sig!3 48C5F366 2003-05-15 Neil Williams <firstname.lastname@example.org>
sub 1024g/4D6D2952 2002-01-27
sig! A897FD02 2002-01-27 Neil Williams (laptop)
Note the new sig by the primary RSA key 48c5f366 not f3c504d8 as in the
(test sig on this key later deleted, again without updating a keyserver.)
Did I miss a stage?
If not, won't this cause confusion with regard to keysignings? The KeyID
everyone has gotten used to on the mailings wouldn't appear in the list of
signatures on keys. GnuPG can make sense of it, but it doesn't look very
intuitive in the listings.
If the KeyID is the only identifier used (for anonymous keys) it'll be even
harder to understand key signatures.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----