Generating bitwise identical keyrings with GnuPG 1 + 2

Mihai Moldovan ionic at
Fri Sep 13 21:28:55 CEST 2019

* On 9/6/19 12:33 AM, Ángel wrote:
> I'm baffled by this.
> Could you run gpg2 --list-packets on both keyrings and compare their
> outputs?
> That should hint which packets are being included by 1.4 that are not by
> 2.2

Hmm, interesting indeed.

The output is *almost* the same.

A diff looks like that (truncated, but you'll get the general idea):

--- keyringdump.gpg2	2019-09-13 20:50:26.839951269 +0200
+++ keyringdump.gpg1	2019-09-13 20:50:44.186005825 +0200
@@ -19,13 +19,15 @@
  	hashed subpkt 23 len 1 (keyserver preferences: 80)
  	subpkt 16 len 8 (issuer key ID E1F958385BFE2B6E)
  	data: [2046 bits]
-# off=635 ctb=b9 tag=14 hlen=3 plen=269
+# off=635 ctb=b0 tag=12 hlen=2 plen=2
+:trust packet: sig flag=00 sigcache=03
+# off=639 ctb=b9 tag=14 hlen=3 plen=269
  :public sub key packet:
  	version 4, algo 1, created 1299793310, expires 0
  	pkey[0]: [2048 bits]
  	pkey[1]: [17 bits]
  	keyid: 71F21F68F489CDCF
-# off=907 ctb=89 tag=2 hlen=3 plen=287
+# off=911 ctb=89 tag=2 hlen=3 plen=287
  :signature packet: algo 1, keyid E1F958385BFE2B6E
  	version 4, created 1299793310, md5len 0, sigclass 0x18
  	digest algo 2, begin of digest 77 f5
@@ -33,7 +35,9 @@
  	hashed subpkt 27 len 1 (key flags: 0C)
  	subpkt 16 len 8 (issuer key ID E1F958385BFE2B6E)
  	data: [2044 bits]
-# off=1197 ctb=99 tag=6 hlen=3 plen=418
+# off=1201 ctb=b0 tag=12 hlen=2 plen=2
+:trust packet: sig flag=00 sigcache=03
+# off=1205 ctb=99 tag=6 hlen=3 plen=418
  :public key packet:
  	version 4, algo 17, created 1234173545, expires 0
  	pkey[0]: [1024 bits]

It looks like the gpg1 output has additional "trust" packets. Are that owner 
trust values? I wonder why gpg2 doesn't generate these packets?

According to RFC 4880 these are really owner trust values that SHOULD NOT be 
exported to files that are supposed to be handed to other users, but GPG can't 
determine whether such a keyring file will be used locally or not.

Either way, my best guess is that GPG 2.2+ drops the trust packets because the 
trust is not explicitly set (i.e., default value) - as an optimization. Can I 
instruct gpg2 to not do that? --export-ownertrust doesn't seem appropriate and 
then there's also the special concept of a trustdb, so I don't quite understand 
why trust packets would be exported to keyrings in the first place?


More information about the Gnupg-users mailing list