Why do I receive keys I wouldn't expect

David Shaw dshaw at jabberwocky.com
Sun Oct 16 16:42:32 CEST 2011


On Oct 16, 2011, at 8:57 AM, Martin Jachs wrote:

> I issued the following command to receive my own public key for my other mail address "m.jachs at gmx.net".
> 
> gpg --keyserver sks-keyservers.net --recv-keys D870A352
> 
> and got the following output
> 
> gpg: requesting key D870A352 from hkp server sks-keyservers.net
> gpg: key D870A352: "Martin Jachs (Regular email address) <m.jachs at gmx.net>" not changed
> gpg: key E66B2314: public key "Forest Jordan <me at inetz.com>" imported
> gpg: Total number processed: 2
> gpg:               imported: 1
> gpg:              unchanged: 1
> 
> My question now is: Why is the key for "me at inetz.com" imported? My key has only been signed by me and has no other user IDs than mine. The output from http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&fingerprint=on&search=0xB073838BD870A352 shows this.
> 
> I encountered this while importing my own public key on another machine (with Kleopatra) and got surprised.

You managed to hit a (presumably natural) keyid collision.  It's rare, but not impossible.  Your primary key has the keyid of D870A352.   The other key happens to have a subkey with the keyid of the same D870A352.  OpenPGP keyids are made by chopping down the full key fingerprint (40 characters) into a long keyid (16 characters) or a short keyid (8 characters).  In this case, the full fingerprints and long keyid does not match - you just happened to collide in the lower 8 characters.

This is why it's important to check the whole fingerprint when signing keys.

David




More information about the Gnupg-users mailing list