Keyservers mangle with subkey binding sigs

Charly Avital shavital at
Sat Jan 19 13:26:04 CET 2008

Hash: SHA256

Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
| Here for example (in the bottom) you may see two subkeys with binding
| signatures expired at 2007-12-31:

So it is.

| But if you look at the original copy you'll see that all regenerated
| sigs are in place:

After importing that keyblock:

gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 13 new signatures
gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 11 signatures cleaned
gpg: Total number processed: 1
gpg:         new signatures: 13
gpg:     signatures cleaned: 11
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:  30  signed: 105  trust: 0-, 0q, 0n, 0m, 0f, 30u
gpg: depth: 1  valid: 105  signed:  54  trust: 0-, 3q, 0n, 33m, 69f, 0u
gpg: depth: 2  valid:  40  signed:  92  trust: 0-, 1q, 2n, 21m, 16f, 0u
gpg: depth: 3  valid:   4  signed:  12  trust: 1-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 4  valid:   3  signed:   4  trust: 0-, 0q, 0n, 1m, 2f, 0u
gpg: next trustdb check due at 2008-02-13

[name]$ gpg --edit-key 8443620A
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  4096R/8443620A  created: 2006-12-21  expires: never       usage: SC
~                     trust: unknown       validity: unknown
sub  2048R/070E0B73  created: 2006-12-21  expires: 2010-01-01  usage: S
sub  2048R/7D57ED51  created: 2006-12-21  expires: 2010-01-01  usage: E
[ unknown] (1). Vladislav V. Miller (aka SATtva)
[ unknown] (2)  Vladislav V. Miller (aka SATtva) <sattva at>
[ unknown] (3)  Vladislav V. Miller (aka SATtva) <sattva at>
[ unknown] (4)  SATtva (openPGP in Russia project admin) <project at>
[ unknown] (5)  Vlad Miller (for private contacts only) <vladtepesh at>
[ unknown] (6)  [jpeg image of size 7403]
[ unknown] (7)  [jpeg image of size 7403]

In my system now:

I have not signed your key
Your signature verifies (no longer "..with expired key...".
Two user photos are invoked and displayed, one of them shows a person,
the other one displays an interrogation mark.

After signing (locally) your key, there is no change, still two photos
displayed, one is a person, the other one displays an interrogation mark.

| sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
| [snip]
| :signature packet: algo 1, keyid FAEB26F78443620A
|         version 4, created 1199529401, md5len 0, sigclass 0x18
|         digest algo 2, begin of digest 1f 06
|         hashed subpkt 26 len 45 (policy:
|         hashed subpkt 27 len 1 (key flags: 0C)
|   >>>>  hashed subpkt 2 len 4 (sig created 2008-01-05)       <<<<
|   >>>>  hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
|         subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
|         data: [4095 bits]
| If I understand this correctly and not missing something terribly here,
| keyservers just looked at newly uploaded key, thought "huh? I already
| have that subkey in place, and this 0x18 sig too!", and discarded it
| without going into much trouble of analyzing any binding sigs'
| timestamps (maybe marking them as duplicates).

I lack the knowledge and background to comment.

MacOS X 10.5.1 - GnuPG 1.4.8 - GPG2 2.0.8 with gpg-agent - Thunderbird with Enigmail 0.95.6 - Primary key A57A8EFA - Signing subkey
Version: GnuPG v2.0.8 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list