Page MenuHome GnuPG

--with-fingerprint does not show fingerprints anymore
Closed, InvalidPublic

Description

Since gpg version 2.1.13, the option --with-fingerprint seems to be inverted and
since version 2.1.16 it seems to be entirely broken.

Steps to reproduce:

  1. Take an arbitrary public key, such as the text block shown on your own

website 'https://www.gnupg.org/signature_key.html' and store it in a file 'key.gpg'.

  1. Run 'gpg --with-fingerprint key.gpg'

The output since version 2.1.16 is this:

    pub   rsa2048 2011-01-12 [SC] [expires: 2019-12-31]
    uid           Werner Koch (dist sig)
    pub   rsa2048 2014-10-29 [SC] [expires: 2019-12-31]
    uid           David Shaw (GnuPG Release Signing Key) <dshaw@jabberwocky.com>
    pub   rsa2048 2014-10-29 [SC] [expires: 2020-10-30]
    uid           NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>
    pub   rsa2048 2014-10-19 [SC] [expires: 2020-12-31]
    uid           Werner Koch (Release Signing Key)
    pub   rsa1024 2006-01-01 [SC] [expired: 2011-06-30]
    uid           Werner Koch (dist sig) <dd9jn@gnu.org>
    pub   dsa1024 1998-07-07 [SCA] [expired: 2005-12-31]
    uid           Werner Koch (gnupg sig) <dd9jn@gnu.org>

The output in the versions 2.1.13 till 2.1.15 is this:

    pub   rsa2048 2011-01-12 [SC] [expires: 2019-12-31]
        D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
    uid           Werner Koch (dist sig)
    pub   rsa2048 2014-10-29 [SC] [expires: 2019-12-31]
        46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
    uid           David Shaw (GnuPG Release Signing Key) <dshaw@jabberwocky.com>
    pub   rsa2048 2014-10-29 [SC] [expires: 2020-10-30]
        031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
    uid           NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>
    pub   rsa2048 2014-10-19 [SC] [expires: 2020-12-31]
        D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
    uid           Werner Koch (Release Signing Key)
    pub   rsa1024 2006-01-01 [SC] [expired: 2011-06-30]
        7B96 D396 E647 1601 754B  E4DB 53B6 20D0 1CE0 C630
    uid           Werner Koch (dist sig) <dd9jn@gnu.org>
    pub   dsa1024 1998-07-07 [SCA] [expired: 2005-12-31]
        6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD
    uid           Werner Koch (gnupg sig) <dd9jn@gnu.org>

Interestingly, the output without the option '--with-fingerprint' is in all
versions 2.1.13 till 2.1.17:

    pub   rsa2048 2011-01-12 [SC] [expires: 2019-12-31]
        D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
    uid           Werner Koch (dist sig)
    pub   rsa2048 2014-10-29 [SC] [expires: 2019-12-31]
        46CC730865BB5C78EBABADCF04376F3EE0856959
    uid           David Shaw (GnuPG Release Signing Key) <dshaw@jabberwocky.com>
    pub   rsa2048 2014-10-29 [SC] [expires: 2020-10-30]
        031EC2536E580D8EA286A9F22071B08A33BD3F06
    uid           NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>
    pub   rsa2048 2014-10-19 [SC] [expires: 2020-12-31]
        D238EA65D64C67ED4C3073F28A861B1C7EFD60D9
    uid           Werner Koch (Release Signing Key)
    pub   rsa1024 2006-01-01 [SC] [expired: 2011-06-30]
        7B96D396E6471601754BE4DB53B620D01CE0C630
    uid           Werner Koch (dist sig) <dd9jn@gnu.org>
    pub   dsa1024 1998-07-07 [SCA] [expired: 2005-12-31]
        6BD9050FD8FC941B43412DCC68B7AB8957548DCD
    uid           Werner Koch (gnupg sig) <dd9jn@gnu.org>

As a sidenote, the output was correct in version 2.1.12:
with the option '--with-fingerprint':

pub  rsa2048/4F25E3B6 2011-01-12 [expires: 2019-12-31]
    Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
uid                   Werner Koch (dist sig)
pub  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
    Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
uid                   David Shaw (GnuPG Release Signing Key)

<dshaw@jabberwocky.com>

    pub  rsa2048/33BD3F06 2014-10-29 [expires: 2020-10-30]
        Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
    uid                   NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>
    pub  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
        Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
    uid                   Werner Koch (Release Signing Key)
    pub  rsa1024/1CE0C630 2006-01-01 [expires: 2011-06-30]
        Key fingerprint = 7B96 D396 E647 1601 754B  E4DB 53B6 20D0 1CE0 C630
    uid                   Werner Koch (dist sig) <dd9jn@gnu.org>
    pub  dsa1024/57548DCD 1998-07-07 [expires: 2005-12-31]
        Key fingerprint = 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD
    uid                   Werner Koch (gnupg sig) <dd9jn@gnu.org>

without the option:

pub  rsa2048/4F25E3B6 2011-01-12 [expires: 2019-12-31]
uid                   Werner Koch (dist sig)
pub  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
uid                   David Shaw (GnuPG Release Signing Key)

<dshaw@jabberwocky.com>

    pub  rsa2048/33BD3F06 2014-10-29 [expires: 2020-10-30]
    uid                   NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>
    pub  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
    uid                   Werner Koch (Release Signing Key)
    pub  rsa1024/1CE0C630 2006-01-01 [expires: 2011-06-30]
    uid                   Werner Koch (dist sig) <dd9jn@gnu.org>
    pub  dsa1024/57548DCD 1998-07-07 [expires: 2005-12-31]
    uid                   Werner Koch (gnupg sig) <dd9jn@gnu.org>

Best regards,
Wolfgang

Details

Version
2.1.13 - 2.1.17

Event Timeline

hoelzlw added projects: gnupg, Bug Report.
hoelzlw added a subscriber: hoelzlw.

Could the priority of this bug be pushed up? I was trying to follow the instructions to verify a Centos 7 install image, but was unable to view the fingerprint using the version of gpg I have installed on this system - gpg (GnuPG) 2.1.19. This feels like a very bad regression from a UX perspective.

Yes, please please raise the priority on this. I just spent 15-30 minutes looking through tons of emails on lists saying to use --with-fingerprints and wondering what the heck was wrong with the people posting that until I saw this bug. Please raise priority, please fix.

werner added a subscriber: werner.

The use of gpg without a command is simply wrong. This has never been specified and could actually lead to surprises.
You need to import the key first and then look at it with -k (--list-keys) or --fingerprint.

Since 2.1 this command is possible

gpg --dry-run --import --import-options import-show  FILE

This lists the key in the same way --list-key would do and thus also shows the fingerprint. The FILE is not really imported.

In general it is a bad idea to maintain a "curated" keyring except if that keyring is used with gpgv. To put keys into the gpgv keyring (by default trustedkeys.gpg), it is best to export the keys from gpg using a list of fingerprints:

gpg --export FPR1 FPR2 FPR3 ... >trustedkeys.gpg

However, your distribution may have dedicated tools for this, like Debian's apt-key.

I don't think anyone is suggesting the use of gpg without a command. However, use WITH the --with-fingerprint command seems to be broken. Thank you for providing a correct way of doing what we want, but please either explain why the use of the --with-fingerprint command isn't working, or put this back as a bug.

--with-fingerprint is an option to modify the output of --list-keys and not a command. There are other --with-xxxx options for other purposes. There is no command to list a keyring. This is why gpg meanwhile prints a warning when used without a command.