7

GnuPG seems to have number of different ways to refer to a (sub)key(pair):

  • Key IDs
  • Fingerprints
  • Keygrips

Additionally, gpg --list-sigs seems to show hexadecimal identifiers for signatures and such as well. Sometimes such IDs are abbreviated.

All of this is quite confusing, and I hope someone can shed some light on this.

What different types and forms of identifiers (key IDs, signature IDs, fingerprints, keygrips, ...) does GnuPG use? What is their format and purpose? Which of these can be used in abbreviated form? Are there any (security) reasons to prefer the use of one type or form to another?

jotik
  • 221
  • 1
  • 7

3 Answers3

4

Information regarding the key fingerprint/key id calculation is available in RFC4880 (and RFC4880bis). For RSA-only v3 keys (now deprecated), key id was low 8 bytes of RSA modulus, and fingerprint was MD5 hash of the key-specific data.

For v4 keys key id is rightmost 8 bytes of the fingerprint, which itself is SHA1 hash of some key-specific data + key material. For v5 keys fingerprint will use SHA256 hash.

Key grip is used internally in GnuPG, and it is SHA1 hash of key material with some additional formatting, but without OpenPGP-specific data. Grip is used to build filename of the secret key(s) in GnuPG keyring, and probably it's the only usable information about it :)

Nickolay Olshevsky
  • 186
  • 5
1

I am studying the same topic and I have found the following:

1) Key ID is the last 8 or 16 characters of fingerprint according to what version of Key ID you use - short or long. You can check it experimentally by creating gpg.conf in your ~/.gnupg directory with string:

keyid-format 0xlong

or

keyid-format 0xshort

Type the command "gpg --list-key --with-fingerprint" to check it.

2)The fingerprint and keygrip is hash sums(?). The main difference is that algorythm for keygrip calculation is protocol independent. It's common for different standarts, e.g. OpenPGP X.509 (https://lists.gnupg.org/pipermail/gnupg-users/2014-November/051769.html). So you can use keygrip to identify you keys across the encryption systems using different standarts.

Hope it will help you)

ShatalovAF
  • 11
  • 1
0

From info gnupg:

  • Keygrip

    This term is used by GnuPG to describe a 20 byte hash value used to identify a certain key without referencing to a concrete protocol. It is used internally to access a private key. Usually it is shown and entered as a 40 character hexadecimal formatted string.

8c6b5df0d16ade6c
  • 101
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 25 '21 at 22:50