Keyservers mangle with subkey binding sigs
shavital at mac.com
Sat Jan 19 13:26:04 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
| Here for example (in the bottom) you may see two subkeys with binding
| signatures expired at 2007-12-31:
So it is.
| But if you look at the original copy you'll see that all regenerated
| sigs are in place:
After importing that keyblock:
gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 13 new signatures
gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 11 signatures cleaned
gpg: Total number processed: 1
gpg: new signatures: 13
gpg: signatures cleaned: 11
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 30 signed: 105 trust: 0-, 0q, 0n, 0m, 0f, 30u
gpg: depth: 1 valid: 105 signed: 54 trust: 0-, 3q, 0n, 33m, 69f, 0u
gpg: depth: 2 valid: 40 signed: 92 trust: 0-, 1q, 2n, 21m, 16f, 0u
gpg: depth: 3 valid: 4 signed: 12 trust: 1-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 4 valid: 3 signed: 4 trust: 0-, 0q, 0n, 1m, 2f, 0u
gpg: next trustdb check due at 2008-02-13
[name]$ gpg --edit-key 8443620A
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/8443620A created: 2006-12-21 expires: never usage: SC
~ trust: unknown validity: unknown
sub 2048R/070E0B73 created: 2006-12-21 expires: 2010-01-01 usage: S
sub 2048R/7D57ED51 created: 2006-12-21 expires: 2010-01-01 usage: E
[ unknown] (1). Vladislav V. Miller (aka SATtva)
[ unknown] (2) Vladislav V. Miller (aka SATtva) <sattva at pgpru.com>
[ unknown] (3) Vladislav V. Miller (aka SATtva) <sattva at vladmiller.info>
[ unknown] (4) SATtva (openPGP in Russia project admin) <project at pgpru.com>
[ unknown] (5) Vlad Miller (for private contacts only) <vladtepesh at mail.ru>
[ unknown] (6) [jpeg image of size 7403]
[ unknown] (7) [jpeg image of size 7403]
In my system now:
I have not signed your key
Your signature verifies (no longer "..with expired key...".
Two user photos are invoked and displayed, one of them shows a person,
the other one displays an interrogation mark.
After signing (locally) your key, there is no change, still two photos
displayed, one is a person, the other one displays an interrogation mark.
| sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
| :signature packet: algo 1, keyid FAEB26F78443620A
| version 4, created 1199529401, md5len 0, sigclass 0x18
| digest algo 2, begin of digest 1f 06
| hashed subpkt 26 len 45 (policy:
| hashed subpkt 27 len 1 (key flags: 0C)
| >>>> hashed subpkt 2 len 4 (sig created 2008-01-05) <<<<
| >>>> hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
| subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
| data: [4095 bits]
| If I understand this correctly and not missing something terribly here,
| keyservers just looked at newly uploaded key, thought "huh? I already
| have that subkey in place, and this 0x18 sig too!", and discarded it
| without going into much trouble of analyzing any binding sigs'
| timestamps (maybe marking them as duplicates).
I lack the knowledge and background to comment.
MacOS X 10.5.1 - GnuPG 1.4.8 - GPG2 2.0.8 with gpg-agent - Thunderbird
188.8.131.52 with Enigmail 0.95.6 - Primary key A57A8EFA - Signing subkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users