Generating bitwise identical keyrings with GnuPG 1 + 2

Werner Koch wk at
Sun Sep 15 15:56:05 CEST 2019

On Fri, 13 Sep 2019 21:28, ionic at said:

> Either way, my best guess is that GPG 2.2+ drops the trust packets
> because the trust is not explicitly set (i.e., default value) - as an

The trust packets are for internal use of gpg and are never exported.
These packets are one of the reasons why we stated for decades that the
interface is "gpg --export" and that the files in ~/.gnupg are internal
to gnupg.

gnupg/doc/DETAILS tells this about the trust packets:

* Format of the OpenPGP TRUST packet

  According to RFC4880 (5.10), the trust packet (aka ring trust) is
  only used within keyrings and contains data that records the user's
  specifications of which key holds trusted introducers.  The RFC also
  states that the format of this packet is _implementation defined_ and
  SHOULD NOT be emitted to output streams or should be ignored on
  import.  GnuPG uses this packet in several additional ways:

  - 1 octet :: Trust-Value (only used by Subtype SIG)
  - 1 octet :: Signature-Cache (only used by Subtype SIG; value must
               be less than 128)
  - 3 octets :: Fixed value: "gpg"
  - 1 octet  :: Subtype
               - 0 :: Signature cache (SIG)
               - 1 :: Key source on the primary key (KEY)
               - 2 :: Key source on a user id (UID)
  - 1 octet :: Key Source; i.e. the origin of the key:
               - 0 :: Unknown source.
               - 1 :: Public keyserver.
               - 2 :: Preferred keyserver.
               - 3 :: OpenPGP DANE.
               - 4 :: Web Key Directory.
               - 5 :: Import from a trusted URL.
               - 6 :: Import from a trusted file.
               - 7 :: Self generated.
  - 4 octets :: Time of last update.  This is a a four-octet scalar
                with the seconds since Epoch.
  - 1 octet  :: Scalar with the length of the following field.
  - N octets :: String with the URL of the source.  This may be a
                zero-length string.

  If the packets contains only two octets a Subtype of 0 is assumed;
  this is the only format recognized by GnuPG versions < 2.1.18.
  Trust-Value and Signature-Cache must be zero for all subtypes other
  than SIG.

If you use "--export-options backup" these trust packets are exported
anyway so that they can be imported with "--import-otions restore".



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list