fingerprint associated public key does not match displayed public key
Robert J. Hansen
rjh at sixdemonbag.org
Fri Dec 17 10:43:13 CET 2021
> That key block did not match the one on his profile. That’s what
> confused me. But I’m learning (from you guys) that the key blocks
> don’t necessarily have to match. So I can assume that:
More accurately, they're very unlikely to match. The version on his
site may lack some signatures or user IDs present on the keyserver copy,
or vice-versa. Think of them as two different snapshots of the same
document at different points in time, as various minor edits are made to
it. But the important bits, the stuff you care about, will be
consistent through revisions so long as the fingerprint remains unchanged.
> - the fingerprint is specific for the secret key component of the
> generated key pair and does not change.
No, and I'm going to strongly encourage you to stop asking
implementation questions. You're not ready for them. For now, learn
how to use the system, and only then start paying attention to the fine
detail of how the system is implemented.
But if you insist, see section 12.2 of RFC4880. "A V4 fingerprint is
the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet
packet length, followed by the entire Public-Key packet starting with
the version field. The Key ID is the low-order 64 bits of the fingerprint."
> - the pgp public key is, in a way, fluid. It can take many different
> forms but encrypts specifically for the matching secret key only. The
> same public key can have different key blocks.
No. This will probably become easier to understand if we use the
correct language. *Keys* are not fluid. *Certificates* can be. What
you're calling a "key block" is a certificate, not a key. A certificate
includes cryptographic keys and metadata about those keys. The keys
generally don't change (although I can think of pathological cases where
they do). The metadata about those keys can change a lot.
Most of the data in a certificate is metadata.
> - I could’ve used the keyserver-obtained public key (retrieved via the
> fingerprint), or I could’ve used the displayed public key that was
> given in armor text form. They are one and the same, even though
> their revealed text is different.
You could have used it and the odds are quite good it wouldn't have
mattered in the slightest.
> When you want to give someone your public key, do you normally just
> give your email, fingerprint, key ID, or the armor form key block?
I use WKS.
> is there a command i could've used to directly import the key using
> the displayed key block? I've tried some different ones I found in
> various places but nothing worked.
gpg --import < certificate.asc
More information about the Gnupg-users