Failure of comparison of valid pub key's .asc files

Peter Lebbing peter at
Tue Feb 23 17:40:34 CET 2016

On 23/02/16 15:40, JB wrote:
> W/r to above display, would it not be better to display the line(s) with
> the unverified signature and the missing key in response,

You can use --list-sig to show the unverified signatures as well. Note they
could be bogus, you can't tell until you import the key that made the signature.
--check-sig checks signatures as its name implies, and you can't check a
signature made by a key you don't have.

Like this:

$ gpg2 --list-sig C65285EC
pub   rsa2048/C65285EC 2015-03-15 [SC]
uid         [ unknown] trava90 <travawine at>
sig 3        6DA5F2AC 2015-11-15  [User ID not found]
sig 3        C65285EC 2015-03-15  trava90 <travawine at>
sig 3        8FCF9CEC 2015-05-16  [User ID not found]
sub   rsa2048/25192F9F 2015-03-15 [E]
sig          C65285EC 2015-03-15  trava90 <travawine at>

> so that I could
> have a clue which user(s) certified the key

Without the key, it's just a short string of hex digits. You need to fetch the
key before there is anything more to go on (a user ID). Luckily, you can do that:

$ gpg2 --recv-keys 6DA5F2AC 8FCF9CEC

> As you can see from my key server lookups, the was useless in
> this regard

And several more ;)

> only gave me a hint who I was missing.

In the webinterface you mean?

I should mention that the webinterface does no verification of anything, it
naively "believes" anything it is told. That means that nefarious people can
include bogus data that will only turn out to be bogus once you feed the key to
GnuPG, which does verify what it is fed.

> Like this:
> $ gpg --check-sigs C65285EC
> gpg: 2 good signatures
> gpg: 1 signature not checked due to a missing key
> pub   rsa2048/C65285EC 2015-03-15 [SC]
> uid         [ unknown] trava90 <travawine at>
> sig!3        C65285EC 2015-03-15  trava90 <travawine at>
> sig%3        8FCF9CEC 2015-05-16  Moonchild (RSA signing key)
> <moonchild at>
> sub   rsa2048/25192F9F 2015-03-15 [E]
> sig!         C65285EC 2015-03-15  trava90 <travawine at>
> where the missing key line(s) like this would be included:
> sig%3        8FCF9CEC 2015-05-16  Moonchild (RSA signing key)
> <moonchild at>

Did you mock up this output yourself or is this something you actually got? I
wouldn't understand how the latter happened. That % is when the key is on your
keyring, but the signature could not be verified due to some error. So you
already have the Moonchild key, as can also be inferred from the fact that it
knows that UID. And that signature checks out fine for me.

> Do you think it makes sense to request an enhancement ?

I haven't seen anything that is both not implemented yet and physically
possible, unless I misunderstand. It is impossible to show data about a key you
don't have on your keyring. The data is simply not there.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list