fingerprint associated public key does not match displayed public key

S.B. sami.badri at gmail.com
Sun Dec 19 04:42:24 CET 2021


> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri
contains. It could be your public key. Or it could be somebody else's public
key. Or it could be something other than a public key.

That was my mistake.  When I generated my first key pair I used the command:

gpg --armor --export sami.badri at gmail.com> ~/Desktop/SamiB.asc

I moved it into my user folder.  That's the file I uploaded to
openpgp.org.  It is the public key block.

> You shouldn't assume anything if you are dealing with encryption software. You
should be sure what you are doing. Otherwise, in the extreme, you could
jeopardize the lives of other people.

I absolutely understand.

> You can use the command
gpg --show-key <SamiB.asc
to have a look at the key (or keys) contained in SamiB.asc. But, as with using
a proper email client you should probably also use a proper graphical tool for
working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I
recommend gpg4win.

Thank you for that.  Along with --list-keys and --list-secret-keys,
I'm starting to better understand the key ring.

> But, as with using a proper email client you should probably also use a proper graphical tool for
working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I
recommend gpg4win.

I'm researching other email clients and will definitely get a GnuPG
graphical tool.  PGP Tool for Mac looks ok.

> Alternatively, you could have a look at Mailvelope (https://mailvelope.com).
It's a browser add-on that will extend GMail (and many other webmail
providers) with OpenPGP support.

I'm looking at Mailvelope and FlowCrypt for Gmail extensions.

On Sat, Dec 18, 2021 at 3:23 PM Ingo Klöcker <kloecker at kde.org> wrote:
>
> On Freitag, 17. Dezember 2021 18:04:04 CET S.B. via Gnupg-users wrote:
> > > Otherwise, you can simply send your exported key to the person you want to
> > > give your public key to.
> >
> > Yeah so, I can attach the .asc file that's in my Disk/users/SamiBadri
> > folder (it's the only .asc file I've seen), but I'm assuming that is
> > my public key.  Is that correct?
>
> Well, it depends. We have no idea what the .asc file in Disk/users/SamiBadri
> contains. It could be your public key. Or it could be somebody else's public
> key. Or it could be something other than a public key.
>
> Quite frankly, I suggest that you follow Robert's advice and start your
> learning experience with OpenPGP by using an email client that supports
> OpenPGP out-of-the-box. All decent email clients should have a functionality
> to attach your public key to an email without you having to attach some file
> manually.
>
> > Is there anyway to send your private key?
>
> Sure. You can send any file to anyone, so, of course, you can do the same with
> your private key (unless it's stored on a smartcard in a read-protected slot).
>
> A decent email client should not offer a functionality to attach your secret
> key to an email. So, if you stick to what your email client offers you, then
> you should be safe.
>
> > I want to know so that I don't do it accidentally.
>
> Then don't attach random files you find on your disk to your emails without
> knowing what those files contain.
>
> > Also, if I
> > use the cat SamiB.asc command, the terminal reveals a certificate (and
> > I assume that's my public key certificate).
>
> You shouldn't assume anything if you are dealing with encryption software. You
> should be sure what you are doing. Otherwise, in the extreme, you could
> jeopardize the lives of other people.
>
> > Can I copy/paste and send
> > that as a txt attachment?  Will they be able to do anything with it?
> > For instance, let's say they don't have my email, key ID, or
> > fingerprint, only the pgp public key block (aka certificate), can you
> > do anything with a txt-type file that only shows the certificate in
> > armor?
>
> If you send someone the public key block of your public key, e.g. some file
> that contains something like
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> [...]
> -----END PGP PUBLIC KEY BLOCK-----
>
> then this person can import your public key in their keyring and use it to
> verify signatures made by you and to encrypt text or files for you.
>
> You can use the command
> gpg --show-key <SamiB.asc
> to have a look at the key (or keys) contained in SamiB.asc. But, as with using
> a proper email client you should probably also use a proper graphical tool for
> working with GnuPG. On Linux, I suggest using Kleopatra. On Windows, I
> recommend gpg4win.
>
> > Lastly, I see that you have attached a signature .asc file with your
> > email.  I can import that file, and compare to?
>
> No, you cannot import that file. You need an email client that supports
> OpenPGP to do anything useful with it.
>
> Alternatively, you could have a look at Mailvelope (https://mailvelope.com).
> It's a browser add-on that will extend GMail (and many other webmail
> providers) with OpenPGP support.
>
> Regards,
> Ingo
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list