How are primary key binding signatures (0x19) handled by gpg?

Daniel Kahn Gillmor dkg at
Thu May 22 19:26:18 CEST 2014

On 05/22/2014 01:04 PM, martijn.list wrote:

> The sub key of the following key (key ID 0549B8A5640444E6) is valid for
> signing (RSA Encrypt or Sign) but it does not contain a primary key
> binding signature:

The subkey here (0xC2B1EA06E3BD3FC7) does not have any key usage flags
subpacket associated with it at all.  As a result, it looks like gpg
treats it as having all usage flags available.

> Enigmail tells me that the sub key is valid for signing. It might be
> that I misunderstand the requirement but it seems that in this case the
> key should not be used for signing since it lacks the primary key
> binding signature. I know that this requirement is relatively recent so
> it might be that for this key the current behaviour is for backward
> compatibility reasons. Is there some documentation on how GPG handles
> signing sub keys without a valid primary key binding signature?

So gnupg treats this key as though the signing usage flag is present,
but it's not yet clear to me that it's willing to accept signatures or
certifications from it in the absence of a cross-certification.

gpg(1) suggests that --require-cross-certification is the default, so
signature or certifications made by the subkey should be considered
invalid.  Do you have signature or certification made by that subkey
that you can verify with?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140522/383b1114/attachment.sig>

More information about the Gnupg-users mailing list