fingerprint associated public key does not match displayed public key

Sat Dec 18 19:07:35 CET 2021

On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote:
> > Otherwise, you can simply send your exported key to the person you want to
> > give your public key to.
> 
> Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
> folder (it's the only .asc file I've seen), but I'm assuming that is
> my public key.  Is that correct?

Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri 
contains. It could be your public key. Or it could be somebody else's public 
key. Or it could be something other than a public key.

Quite frankly, I suggest that you follow Robert's advice and start your 
learning experience with OpenPGP by using an email client that supports 
OpenPGP out-of-the-box. All decent email clients should have a functionality 
to attach your public key to an email without you having to attach some file 
manually.

> Is there anyway to send your private key?

Sure. You can send any file to anyone, so, of course, you can do the same with 
your private key (unless it's stored on a smartcard in a read-protected slot).

A decent email client should not offer a functionality to attach your secret 
key to an email. So, if you stick to what your email client offers you, then 
you should be safe.

> I want to know so that I don't do it accidentally.

Then don't attach random files you find on your disk to your emails without 
knowing what those files contain.

> Also, if I
> use the cat SamiB.asc command, the terminal reveals a certificate (and
> I assume that's my public key certificate).

You shouldn't assume anything if you are dealing with encryption software. You 
should be sure what you are doing. Otherwise, in the extreme, you could 
jeopardize the lives of other people.

> Can I copy/paste and send
> that as a txt attachment?  Will they be able to do anything with it?
> For instance, let's say they don't have my email, key ID, or
> fingerprint, only the pgp public key block (aka certificate), can you
> do anything with a txt-type file that only shows the certificate in
> armor?

If you send someone the public key block of your public key, e.g. some file 
that contains something like

-----BEGIN PGP PUBLIC KEY BLOCK-----

[...]
-----END PGP PUBLIC KEY BLOCK-----

then this person can import your public key in their keyring and use it to 
verify signatures made by you and to encrypt text or files for you.

You can use the command
gpg --show-key <SamiB.asc
to have a look at the key (or keys) contained in SamiB.asc. But, as with using 
a proper email client you should probably also use a proper graphical tool for 
working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I 
recommend gpg4win.

> Lastly, I see that you have attached a signature .asc file with your
> email.  I can import that file, and compare to?

No, you cannot import that file. You need an email client that supports 
OpenPGP to do anything useful with it.

Alternatively, you could have a look at Mailvelope (https://mailvelope.com). 
It's a browser add-on that will extend GMail (and many other webmail 
providers) with OpenPGP support.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211218/b0f4daeb/attachment-0001.sig>