Failure of comparison of valid pub key's .asc files
Peter Lebbing
peter at digitalbrains.com
Tue Feb 23 13:48:03 CET 2016
On 22/02/16 10:23, JB wrote:
>> Note the difference in output from 'gpg --check-sigs C65285EC':
>> case 1.
>> gpg: 1 signature not checked due to a missing key
>> case 2.
>> gpg: 2 signatures not checked due to missing keys
This is also why the exported .asc files are different: the version on the
keyserver has an additional signature that the one on thr web page did not have.
That's it, that's all there is to it!
> My question is:
> Can I have a pub key with a unique id C65285EC and a fingerprint, but two
> different associated (gpg --export) ascii .asc or binary .gpg files ?
Absolutely. Certifications by other people are also included. They can change
order, they can be on one and not on the other. And there are more reasons why
the binary blob can be different, such as included information that is no longer
relevant but also doesn't hurt (old, superseded self-sigs, f.e.).
For authenticity, you should be looking purely at the primary fingerprint and
the UID's. If those two combined match your expectation (you expect John to have
a key with fingerprint X), you're good.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list