modern GnuPG verify signatures

Teemu Likonen tlikonen at
Thu Jun 15 22:29:41 CEST 2017

Stefan Claas [2017-06-15 18:59:41+02] wrote:

> I clearsign a text file and verify it and modern GnuPG shows me this:
> gpg --verify my_message.txt
> gpg: Signature made Do 15 Jun 18:31:05 2017 CEST
> gpg:                using RSA key 2BAF85F9281ABD543823C7C5981EB7C382EC52B4
> gpg: Good signature from "Stefan Claas <stefan.claas at>" [ultimate]
> A friend just recently posted a message in a Usenet Group and i get this:
> gpg --verify m123.eml
> gpg: Signature made Xx 00 Jun 00:00:00 2017 CEST
> gpg:                using RSA key 0000000000000000
> gpg: Good signature from "xxxxxx xxxxxxxxx <xxxxxxx at>" [full]
> gpg: xxxxxx at Verified 4 signatures in the past 7 days. 
> Encrypted 0 messages.

Perhaps it can be seen as bug that there is the full fingerprint in some
places and long key id in other places.

I'm guessing that there are different code paths internally: In the
first example the trust level is calculated from web of trust (own key,
ultimate trust). In the second example there's also tofu trust model
involved because it shows statistics for verifying and encryption.

But those who know the code can answer.

/// Teemu Likonen   - .-..   <> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170615/8bc71e75/attachment-0001.sig>

More information about the Gnupg-users mailing list