getting an encrypted file to show what public key was used

Tanguy Herrmann tanguy.herrmann at gmail.com
Tue May 29 17:16:09 CEST 2012


Steven,

The key who has the Short Key ID of F1940956 has the same short Key ID
as : http://keyserver.ubuntu.com:11371/pks/lookup?search=0xF1940956&op=vindex
This is a flaw in the OpenPGP protocol (If I remember right). Short
Key ID are only the last 8 hexadecimal characters of the full
fingerprint. And the flaw make that OpenPGP verify only that short Key
ID instead of the full fingerprint, and that leads to collision of Key
ID even if the keys are differents ...

The easier solution for you would be to create a new key

On Tue, May 29, 2012 at 5:02 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
> On 5/29/12 9:45 AM, Steven Lefevre wrote:
>> gpg: encrypted with 2048-bit ELG-E key, ID F1940956, created 2002-04-25
>>       "Different Public Key <another_key at another_company.com>"
>> gpg: decryption failed: secret key not available
>
> Oh, cute.  A short ID collision.  :)  Quaero Corporation's, apparently.
>
> Short answer: try using gpg -vvvv sensitive-file.gpg.  This will give
> you a large amount of detailed information that might be useful for your
> debugging.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list