13

When displaying the full fingerprint of an OpenPGP key, it get a completely different one compared to the ID.

For this specific key:

$ gpg --list-keys --fingerprint D72AF3448CC2B034
pub   rsa4096 2017-02-09 [SC] [verfällt: 2027-02-07]
      F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
uid        [ unbekannt ] OpenVPN - Security Mailing List <security@openvpn.net>
sub   rsa4096 2017-02-09 [E] [verfällt: 2018-03-06]
sub   rsa4096 2017-02-09 [S] [verfällt: 2018-03-06]

For other keys, the fingerprint matches the ID, just as expected:

$ gpg --list-keys --fingerprint 57DB9DAB613B8DA1
pub   rsa4096 2016-08-23 [SC] [verfällt: 2026-08-21]
      7ACD 56B7 4144 925C 6214  3297 57DB 9DAB 613B 8DA1
uid        [ unbekannt ] David Sommerseth (OpenVPN Technologies, Inc) <davids@openvpn.net>
uid        [ unbekannt ] David Sommerseth (OpenVPN Technologies, Inc) <david.sommerseth@openvpn.net>
uid        [ unbekannt ] David Sommerseth (OpenVPN mailing list ID) <openvpn@sf.lists.topphemmelig.net>
sub   rsa4096 2016-08-23 [E] [verfällt: 2026-08-21]
sub   rsa4096 2016-08-23 [S] [verfällt: 2021-08-22]

Is this normal? Can anyone explain to me, why the fingerprint is completely different?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Felix
  • 233
  • 2
  • 5

2 Answers2

17

GnuPG generally resolves subkeys to the primary key if a subkey is passed as argument. This might be especially surprising when specifying an encryption subkey: GnuPG resolves the subkey to the primary key, and might actually choose another subkey for encryption (selecting the newest encryption subkey).

For listing a key, this is always performed, for some operations like encryption you can append ! to the subkey's ID (ie. D72AF3448CC2B034) to explicitly select this key and disable the primary key lookup.

To display subkey fingerprints on the command line, apply the --with-subkey-fingerprints option:

$ gpg --list-keys --with-subkey-fingerprints D72AF3448CC2B034
pub   rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07]
      F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
uid            [ unknown] OpenVPN - Security Mailing List <security@openvpn.net>
sub   rsa4096/0xF80E8008F6D9F8D7 2017-02-09 [E] [expires: 2018-03-06]
      E6CAF699521B9B5E57A5C31BF80E8008F6D9F8D7
sub   rsa4096/0xD72AF3448CC2B034 2017-02-09 [S] [expires: 2018-03-06]
      B59606E2D8C6E10B80BE2B31D72AF3448CC2B034
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
0

Apparently, D72AF3448CC2B034 is a subkey, with E0A312F5F7B42F2B01E7 beeing the corresponding master key. However, gpg does not print fingerprints of subkeys. I had to use the enigmail gui tool to verify this.

Felix
  • 233
  • 2
  • 5