What do these signatures of my PGP key mean?

Question

When I was viewing the key information of my PGP key on a key server, I couldn't understand the meaning of some of the signatures.

Here is the key information from the key server(https://pgp.mit.edu/pks/lookup?op=vindex&search=0x50268311C7AD3F62):

Type bits/keyID     cr. time   exp time   key expir

pub   256E/C7AD3F62 2017-09-02            

uid DDoSolitary <DDoSolitary@gmail.com>
sig  sig3  C7AD3F62 2017-09-02 __________ __________ [selfsig]

sub   256E/3A2792F6 2017-09-06            
sig sbind  C7AD3F62 2017-09-06 __________ __________ []

sub   256e/3BEE2AA5 2017-09-02            
sig sbind  C7AD3F62 2017-09-02 __________ __________ []
sig  sig3  C7AD3F62 2017-09-02 __________ __________ []
sig sbind  C7AD3F62 2017-09-06 __________ __________ []

I created this key with an encryption subkey(256e/3BEE2AA5) on 2017-09-02, and then on 2017-09-06, I added an authentication subkey(256E/3A2792F6).

I do understand that the sig3 of the uid and the sbind signature of the authentication key(256E/3A2792F6) are used to binding the master key with the uid/subkey. However, I got confuesed after seeing the signatures of the encryption key(256e/3BEE2AA5). Why are there three signatures for it and what are they used for?

Answer 1

If I import the public key listed in your post, I get this message:

$ gpg --import pkey2.txt
gpg: key 50268311C7AD3F62: 11 duplicate signatures removed
gpg: key 50268311C7AD3F62: 5 signatures reordered
gpg: key 50268311C7AD3F62: public key "DDoSolitary <Dxxxx@xxxxxx.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

As you can see, the extra signatures listed on your public key are labeled duplicates upon import and do not affect operation or trust of the key.

The extra signatures are most likely from key manipulations. Each modification of your key produces a signature.

All the signatures and dates of the signatures can be extracted from the public key using the --list-packets option of gpg.

    $ gpg --list-packets pkey.txt |grep -A1 ":signature"

:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504334453, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055794, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055418, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508056216, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504703268, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504334453, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504703268, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055418, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504334453, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508056216, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055794, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508553430, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504334453, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504703268, md5len 0, sigclass 0x18
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055418, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1504334453, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508056216, md5len 0, sigclass 0x13
--
:signature packet: algo 22, keyid 50268311C7AD3F62
    version 4, created 1508055794, md5len 0, sigclass 0x13

The dates are in UNIX EPOCH time. These are all the signatures dates sorted and in a more readable form:

2017-09-02 06:40:53-00
2017-09-02 06:40:53-00
2017-09-02 06:40:53-00
2017-09-02 06:40:53-00
2017-09-02 06:40:53-00
2017-09-06 13:07:48-00
2017-09-06 13:07:48-00
2017-09-06 13:07:48-00
2017-10-15 08:16:58-00
2017-10-15 08:16:58-00
2017-10-15 08:16:58-00
2017-10-15 08:23:14-00
2017-10-15 08:23:14-00
2017-10-15 08:23:14-00
2017-10-15 08:30:16-00
2017-10-15 08:30:16-00
2017-10-15 08:30:16-00
2017-10-21 02:37:10-00

It's fairly easy to see that the signature times occur during the key manipulations.

$ gpg --edit-key 688E1D093C3638F588890D4450268311C7AD3F62

pub  ed25519/50268311C7AD3F62
     created: 2017-09-02  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  ed25519/E758605C3A2792F6
     created: 2017-09-06  expires: never       usage: A   
sub  ed25519/6DC20782F6E9E2F3
     created: 2017-10-21  expires: 2018-10-21  usage: S   
sub  cv25519/1224F2883BEE2AA5
     created: 2017-09-02  expires: never       usage: E   
[ unknown] (1). DDoSolitary <Dxxxxxx@xxxxxx1.com>
[ unknown] (2)  DDoSolitary <Dxxxxxx@xxxxxx2.com>
[ unknown] (3)  [jpeg image of size 29903]

So, looking at the key, there's nothing that's stands out as incorrect on the key, either as posted on the public key server or on the imported key.

As as side note: the trust level on the public key as listed in my system will not be the same as in your system. Trust is under local control. The trust is set as unknown by default. However, it is unwise to blindly trust public keys listed in a keyserver.