Is self-signing necessary? Basic questions.

David Shaw dshaw at
Sun Jan 2 06:05:06 CET 2011

On Jan 1, 2011, at 10:30 PM, takethebus at wrote:

> I everybody, 
> I tried to understand some of the concepts of GnuPG and would be grateful for you to give me a feedback, whether I understood things right. I'm especially interested in the concept of self-signed keys. My key type is "RSA and RSA (PGP)". Here is what I understood:
> My pulic key consists of the following:
> public master signing key (pub),
> public subordinate keys (sub),
> User IDs.
> Are the key IDs newly calculated every time GnuPG runs or are they members of the public key like the user IDs, too?

They are calculated by hashing the public key(s), and truncating to fit.  The key ID is actually the lower 64 bits of the fingerprint.  The *displayed* key ID is the lower 32 bits of that.

> Is the public master signing key ONLY used for signing and the public subordinate key ONLY used for enryption?

Traditionally, yes, but this is not a requirement.  The only guarantee is that the primary key must be able to certify other keys (i.e. sign other keys or make new subkeys).  In practice, a common setup (in fact, the default setup in GnuPG) is to have a primary key to sign and a subkey to encrypt.

> Is the fingerprint of my public key ONLY the fingerprint of my public master signing key?

In common usage, yes.  Subkeys do in fact have fingerprints, but by convention, the fingerprint of the primary key is used as shorthand to refer to the whole key.

> When signing another key, what I do is to ONLY sign the other person's public master signing key with my own private master signing key. I don't sign a certain user ID or something. Is that right? (see the next two points)

No, when you sign a key, you are signing their primary key, plus a specified user ID.  In effect, you are making a statement that "I believe that this particular user ID and this particular primary key belong together".

If there are multiple user ID, you can sign them all (if you believe all of them are valid), or some.  It's your choice.

There is a way to sign a key alone, without signing any user IDs.  Nobody supports it for 3rd party signatures like these.

> Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? 

By default, yes.  You can override this, but it is not a good idea.  After all, if the owner of the key hasn't asserted that a particular user ID is valid, why would you trust it?

> Can signatures be removed from a key again? 

Yes.  The "delsig" command in the --edit-key menu can delete signatures.  Note that if the signatures are on a keyserver, they'll just come back the next time the key is refreshed though.

> What about removing self-signatures, changing suboridinate encryption keys and user IDs? Is that possible/easy? 

delsig is capable of removing self-signatures.  I'm not sure what you mean by "changing" a subkey, but delkey in the --edit-key menu can delete it, revkey can revoke it, etc.  Similarly, there is deluid and revuid for user IDs.


More information about the Gnupg-users mailing list