Copy Current GPG Installation to Another Server

Peter Lebbing peter at
Tue Mar 17 22:56:15 CET 2015

On 17/03/15 22:34, Doug Barton wrote:
>> Assuming they're all protected by https, nothing.
> I think you missed my point. If all three resources related to verification are
> provided by the same source, then verifying the fingerprint gets you zero added
> security. It's more or less equivalent to using a hash by itself.

No, I think that's what I mean as well. If they all come from the same source,
it gets you nothing to check the signature. So I don't see why you would verify
the signature at all.

> So to start with, that's a pretty big hurdle to jump, and if you have access to
> do that, then you almost certainly have access to do other things like changing
> the fingerprint to verify.

By creating a short key ID collision, I'm also getting those people that read
your e-mail or a similar thing somewhere on the web, and just download the short
key ID. I'm also getting those people that get a "BAD signature" and then do a
new --recv-key with the short key ID in an unfortunate attempt to get it to
verify ("hmmm, maybe it has expired?").

Like you said, I passed a big hurdle. I'm either MITM, or I write-accessed the
ftp server of Why stop there when it's so little effort to create a
short key ID collision? It sounds fun in a perverse way.

But back to my primary objection:

I consider it bad advice to tell someone to rely on the short key ID. Sounds
like a bad habit potentially getting bootstrapped to me.

That's really all this is about.

You could also say they should check the sha1sum, like Clark ended up doing. Or

gpg --fingerprint -k 4F25E3B6

and checking it says

pub   2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
      Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
uid       [  full  ] Werner Koch (dist sig)
sub   2048R/AC87C71A 2011-01-12 [expires: 2019-12-31]

with a little caveat that you should actually get the fingerprint from somewhere
trusted, not from a stranger. That would already go a long way. When I include
non-trivial code to be entered on someone's PC, I always include the disclaimer
"Please understand what you are doing here, never enter on your PC what a
stranger on the internet tells you to". At least, I think and hope I do, might
have forgotten in my enthousiasm sometimes.

Or don't check at all and simply see if it crashes during installation. I
wouldn't be surprised if it included a checksum in the .exe as part of the

But we obviously disagree in an informed way. I know I can be rather principal.
Thanks for appreciating my enthousiasm though :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list