Failure of comparison of valid pub key's .asc files

Peter Lebbing peter at digitalbrains.com
Tue Feb 23 17:40:34 CET 2016 

On 23/02/16 15:40, JB wrote:
> W/r to above display, would it not be better to display the line(s) with
> the unverified signature and the missing key in response,

You can use --list-sig to show the unverified signatures as well. Note they
could be bogus, you can't tell until you import the key that made the signature.
--check-sig checks signatures as its name implies, and you can't check a
signature made by a key you don't have.

Like this:

-----------------8<---------->8-----------------
$ gpg2 --list-sig C65285EC
pub   rsa2048/C65285EC 2015-03-15 [SC]
uid         [ unknown] trava90 <travawine at protonmail.com>
sig 3        6DA5F2AC 2015-11-15  [User ID not found]
sig 3        C65285EC 2015-03-15  trava90 <travawine at protonmail.com>
sig 3        8FCF9CEC 2015-05-16  [User ID not found]
sub   rsa2048/25192F9F 2015-03-15 [E]
sig          C65285EC 2015-03-15  trava90 <travawine at protonmail.com>
-----------------8<---------->8-----------------

> so that I could
> have a clue which user(s) certified the key

Without the key, it's just a short string of hex digits. You need to fetch the
key before there is anything more to go on (a user ID). Luckily, you can do that:

$ gpg2 --recv-keys 6DA5F2AC 8FCF9CEC

> As you can see from my key server lookups, the pgp.mit.edu was useless in
> this regard

And several more ;)

> only sks-keyservers.net gave me a hint who I was missing.

In the webinterface you mean?

I should mention that the webinterface does no verification of anything, it
naively "believes" anything it is told. That means that nefarious people can
include bogus data that will only turn out to be bogus once you feed the key to
GnuPG, which does verify what it is fed.

> 
> Like this:
> $ gpg --check-sigs C65285EC
> gpg: 2 good signatures
> gpg: 1 signature not checked due to a missing key
> pub   rsa2048/C65285EC 2015-03-15 [SC]
> uid         [ unknown] trava90 <travawine at protonmail.com>
> sig!3        C65285EC 2015-03-15  trava90 <travawine at protonmail.com>
> sig%3        8FCF9CEC 2015-05-16  Moonchild (RSA signing key)
> <moonchild at palemoon.org>
> sub   rsa2048/25192F9F 2015-03-15 [E]
> sig!         C65285EC 2015-03-15  trava90 <travawine at protonmail.com>
> 
> where the missing key line(s) like this would be included:
> sig%3        8FCF9CEC 2015-05-16  Moonchild (RSA signing key)
> <moonchild at palemoon.org>

Did you mock up this output yourself or is this something you actually got? I
wouldn't understand how the latter happened. That % is when the key is on your
keyring, but the signature could not be verified due to some error. So you
already have the Moonchild key, as can also be inferred from the fact that it
knows that UID. And that signature checks out fine for me.

> Do you think it makes sense to request an enhancement ?

I haven't seen anything that is both not implemented yet and physically
possible, unless I misunderstand. It is impossible to show data about a key you
don't have on your keyring. The data is simply not there.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list