0

I downloaded the KeepassXC .AppImage file and was verifying it using first the .DIGEST file and then .sig file. While I was verifying the download using the .sig file I noticed something strange as I did not get the same results at they displayed. After importing their gpg keys and verifying the downloaded file I got the following output: 

    gpg2 --verify --keyid-format long KeePassXC-2.2.2-2-x86_64.AppImage.sig
gpg: assuming signed data in 'KeePassXC-2.2.2-2-x86_64.AppImage'
gpg: Signature made Tue 24 Oct 2017 09:15:18 AM PDT
gpg:                using RSA key B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release <release@keepassxc.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1  FDA8 CFB4 C216 6397 D0D2
     Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894  F9E0 B7A6 6F03 B590 76A8

Here's their output displayed on their "verify signatures page" .

$ gpg --verify KeePassXC-$VERSION-x86_64.AppImage.sig
gpg: assuming signed data in 'KeePassXC-$VERSION-x86_64.AppImage'
gpg: Signature made Fri 17 Feb 2017 05:20:55 PM CET
gpg:                using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release <release@keepassxc.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1  FDA8 CFB4 C216 6397 D0D2
     Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894  F9E0 B7A6 6F03 B590 76A8

It says that the signature was "good" when I verified the file I downloaded. I just curious about one thing why does their output show all of the sub keys put together at "using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8" and mine only shows one sub key "using RSA key B7A66F03B59076A8"? Thanks!

1 Answers1

2

In both cases - your example and the one linked - it is only showing the one key. The reason the latter example seems longer is not because it shows multiple keys concatenated together, but because in your case the key fingerprint was truncated (the full line 40 character line is the fingerprint, in case that wasn't clear). The fingerprint is a convenient way to identify keys, but you typically do not need to see the full fingerprint in order to figure out which key is being referenced from a known subset.

Your case:

C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8

Their example:

C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8

The flag "--keyid-format long" indicates that the output should be a 16 character key id, so you get 16 characters. (I'm not familiar enough with gpg to know if the output in their example is the full amount because the flag is not present, or if the default behavior is different in that version of gpg).

Chris
  • 81
  • 2