multiple self signatures

Atom 'Smasher' atom-gpg at suspicious.org
Sat Feb 28 16:12:04 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I am seeing on my key multiple self signatures after I do any editing
> to my key.  They are all " sig 3 ".
>
> I am useing version " 1.2.4 ", on a windows 2KP system.  Is there a
> reason for this.  I am not asked if I wish to sign my own key.  I have
> just started to do editing on my GPG key for the first time.
>
> Can I, or should I remove them.  If so which one.
=============================

i noticed this myself, after updating my cipher preferences and adding
bzip2 to my compression prefs.

i'm sure someone will correct me if i'm wrong, but my observation is this:

if i update my preferences, i create a new signature (which validates
those prefs along with the key associated with them). it seems that gpg
has enough smarts to *replace* my old signature(s) with my new
signature(s), so when i'm done editing the key i still have one signature
per key element (UID, subkey, etc). (when updating prefs, we're dealing
with the signature on the UID)

now, if i go and import an old copy of my key, or someone imports my new
key on top of their old copy of my key, gpg will (of course) combine all
of the signatures that it can find for the key... this creates multiple
self-signatures.

these extra self signatures shouldn't cause any harm, but nonetheless i
don't like them. if you want to get rid of them, you can run
"--edit-key"... then "check" will list the signatures and the dates...
then you can do "delsig" and go through the list of signatures, deleting
the ones you don't want.

(is there any documentation of "delsig"? i didn't see it in the man page
that came with 1.2.4)

** DO NOT DELETE ALL OF YOUR SELF SIGNATURES!! **

this way you have a slim key that you can hand out, but once that key goes
into circulation (keyrings, key servers), ALL signatures will find there
way onto it, if those signatures were circulated.

you can look at the self-sigs on the key referenced in the URL at the
bottom of my email (don't import it, yet!) and look at the self
signatures.... then get that same key from a keyserver and look at those
self-sigs... then, import them both and you'll see the self sigs breed....
the old sigs from the key server and the new sigs from my www link will be
combined.

moral of the story... if this type of thing concerns you, do all editing
of your key *before* you distribute it. of course, if you decide to add
new prefs as they're available (like the recent addition of bzip2 in
1.2.x), then there's no way around it.

disclaimer - this is based on my observations, YMMV. if something i've
said up there isn't quite right, i'm sure it will be corrected by someone
on the list who knows better.


 	...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"Microsoft shouldn't be broken up. It should be shut down."
		-- Bruce Schneier, 15 May 2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iD8DBQFAQQQpnCgLvz19QeMRArDkAJ9DCDIWQf9Xoa+edTAOeYyn3QTGDwCfdWVl
XN1jyfLrT164siIetRT9owg=
=5Bsk
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list