gpg.conf recommendations (FAQ improvement) was: GnuPG 1.4.19 - Encryption Questions

Werner Koch wk at
Wed Aug 17 16:53:57 CEST 2016

On Wed, 17 Aug 2016 16:29, kristian.fiskerstrand at

> I'm not sure I like this, it avoids the actual issue of people using
> non-verified keys (and verification would be using fingerprint to begin
> with, although I might read it without the proper context in this email)

Displaying the long keyid has been suggested for 10 years but you are
fully right, it does not help.  I just put this into the 1.4 README

    NEVER use the keyid to verify a key - always use the complete
    fingerprint.  The keyid is just a convenience handle to identify a
    key by a short semi-unique name which is trivial to spoof.  You
    may want to put the line "keyid-format long" into your gpg.conf to
    tell gpg to print the long keyid (which is still spoof-able).

FWIW, I really wonder why people seem to use the keyid to check keys.
Most of us have been in key signing parties and learned that one needs
to mumble the _fingerprint_.  Some oldtimers still have the habit of
also comparing the keyid and the creation date, but that was only
helpful in PGP-2 times to mitigate a problem in the PGP-2 key format.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <> */

More information about the Gnupg-users mailing list