Today I found out, that my keyring contained various keys of other persons multiple times. That is, the fingerprint of the multiple keys for the person were the same.
As I am using Thunderbird/Enigmail to read Mailinglists I was able to reproduce the error after activating the "auto-key-retrieve" option. It looks like Enigmail does two or more "--verify" calls to GnuPG at once and GnuPG somehow imports a key multiple times then. I was unable to reproduce the error in the Windows commandline until now.
- Vanilla Thunderbird and Enigmail installation
- Select GnuPG 2.2.1
- Input keyserver for automatic import (tested it with: pool.sks-keyservers.net)
- leave rest of enigmail configuration alone
Steps to reproduce:
- Empty HomeDir (kill/move all files)
- Kill gpg-agent and dirmgr if (still) running
- --list-keys on commandline -> gpg creates keyring and returns 0 keys
- Select signed email, wait until key has been imported (i.e. msg "signature not verified/checked" is shown or task in taskmanager is gone)
- --list-keys on commandline -> gpg returns 1 key
- Select signed email of another person and wait until key import complete
- --list-keys on commandline -> gpg returns 3 keys !
--> The keyring now contains the same key (checked by fingerprint) two times!
- GnuPG 2.2.1
- Enigmail 220.127.116.11 (20171001-1439)
- TB 52.4.0, x86, release
- Win 8.1 x64