Fingerprint useless if not self-signed key?

takethebus at gmx.de takethebus at gmx.de
Sun Jan 2 17:04:07 CET 2011 

Hi everybody, 

and thanks for the answers so far!
I'm goint to write an introduction to GnuPG/PGP and therefor I'm trying to understand some concepts. 

Especially I wonder what I'll tell people about the meaning of the fingerprint. From my point of view a fingerprint-check is useless, if the key is not self-signed (explanation at the end of the email). Thus I wonder whether I shall advise people to check whether the key is self-signed, too. 

Checking wether a key is self-signed would not be necessary, if gnuPG didn't accept a key that isn't self-singed in ANY CASE. Especially, if GnuPG didn't accept a key with a missing self-signature on the subordinate public encrytion key in ANY CASE. 

In my first email (Subject: "Is self-signing necessary? Basic questions.") I asked:

> Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? 

And thankfully David Shaw answerd:

>>By default, yes.  You can override this, 
>>but it is not a good idea.

Thus the answer to the question, whether one needs to check whether the key is self-signed is conneced with the word "override". What did he mean with that? Changing the source code of my version of gnuPG on my hard disk and recompiling or changing some sort of configuration file on my hard disk? 

If that's the case, then I don't need to advise people to check whether a key is self-signed, because an attacker needes access to my hard disk to override the self-sign-check. But if he already has access to my hard disk, he can as well to worse things like installing a keylogger or something. Thus in this case I'm beaten already, isn't that so?

Are there any other GnuPG/PGP versions, that don't check whether a key is self-signed by default?

I tried to test wether GnuPG accepts to encrypt with a public key, where the self-signatre is missing only at the public subordinate encryption key. But I wasn't able to remove it only at that key and leave the user ID self-signed. All I was able to do is the following. Does anybody know how to do it so I can test?

--------------------------------------------------------------
>gpg --edit-key alice at nowhere.com

pub  2048R/CB4B9C54  created: 2010-12-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048R/CCEFE99C  created: 2010-12-30  expires: never       usage: E
[ unknown] (1). Alice (Test) <alice at nowhere.com>

gpg> uid 1

pub  2048R/CB4B9C54  created: 2010-12-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048R/CCEFE99C  created: 2010-12-30  expires: never       usage: E
[ unknown] (1)* Alice (Test) <alice at nowhere.com>

gpg> delsig
uid  Alice (Test) <alice at nowhere.com>
sig!3        CB4B9C54 2010-12-30  [self-signature]
Delete this good signature? (y/N/q)y
Really delete this self-signature? (y/N)y
Deleted 1 signature.

gpg> quit
Save changes? (y/N) y

>gpg --output result.gpg --encrypt --recipient
 alice at nowhere.com Textdatei.txt
gpg: alice at nowhere.com: skipped: unusable public key
gpg: Textdatei.txt: encryption failed: unusable public key
----------------------------------------------------------------

EXPLANATION
The fingerprint is a hash value of the public master signing key only, NOT of the public subordinate encryption key. Only if that public subordinate encryption key is self-signed, I can be sure the owner of the private key wanted it to belong to his public key. Otherwise it might have been placed there by an attacker. 

I'm grateful for answers,
Sansibar

More information about the Gnupg-users mailing list