How are primary key binding signatures (0x19) handled by gpg?

martijn.list martijn.list at
Thu May 22 19:04:30 CEST 2014

According to RFC 4880

"For subkeys that can issue signatures, the subkey binding signature
MUST contain an Embedded Signature subpacket with a primary key binding
signature (0x19) issued by the subkey on the top-level key."

The sub key of the following key (key ID 0549B8A5640444E6) is valid for
signing (RSA Encrypt or Sign) but it does not contain a primary key
binding signature:

Enigmail tells me that the sub key is valid for signing. It might be
that I misunderstand the requirement but it seems that in this case the
key should not be used for signing since it lacks the primary key
binding signature. I know that this requirement is relatively recent so
it might be that for this key the current behaviour is for backward
compatibility reasons. Is there some documentation on how GPG handles
signing sub keys without a valid primary key binding signature?

Kind regards,

Martijn Brinkers

More information about the Gnupg-users mailing list