gpg certify key public key getting export along with sub-key public key

Question

I am using gpg. My keyring structure is explained below.

I have a certify key under that I have

• Encryption sub-key
• Authentication Sub-key

In order to export the sub-key following steps are executed

step-1 This command will list all the public key. I will take the keyid of public key. For example encryption.

gpg --keyid-format long --with-fingerprint --list-keys

I am using below command to export the subkey

gpg --export --armor --output public-key.asc <keyid>!

But I inspect by using the below command. I can see that it is exported the public key of my certify also.

gpg --list-packets public-key.asc | grep "\(packet\|keyid\)"

So my question are

Why it is exporting the public key of the certify?

Sharing the public key of the encryption key to the keyserver, will it share certify key public key? If yes, is there any security issue with this?

Answer 1

Why it is exporting the public key of the certify?

Userids can only exist on the masterkey (what you call 'certify') not a subkey. If you take only the subkey packets, which you can split out from the file with some effort, anyone besides you won't know whose key it is unless they remember the mapping of a 16-digit or more hex string to your identity. The people who will do that can be counted on one hand -- after a gruesome power-tool accident has cut off all your fingers.

(If you really want to do this, search for gpgsplit; I have seen several Qs or As addressing related cases you should be able to generalize, but I don't recall if they were here, superuser, security.SX, or unix.SX.)

Another feature/benefit of the standard structure is that each recipient only needs to determine (and now that WoT has failed, configure) trust once on the masterkey and then all subkeys -- both those that now exist and any created in the future -- are automatically verified and trusted. If you distribute subkeys (plural) without the masterkey, each one must be handled manually, every time.

Sharing the public key of the encryption key to the keyserver, will it share certify key public key? If yes, is there any security issue with this?

Yes. There is definitely no cryptographic issue; knowing your masterkey does not compromise or weaken your subkey(s) in any way. Because as above the masterkey can and normally does include your userid, it does allow people who receive or fetch your key (cluster) to know "who" it belongs to, at least to the extent you put accurate and usable information in your userid (you aren't forced to do so). Since the purpose of publishing or distributing your key is normally to let other people know it is yours, this is not normally considered an issue, but it's your decision how you feel about it.

Note if you want to use multiple 'personas' and prevent other people from linking them, distributing only subkeys does NOT accomplish this; other people can identify that subkeys are signed/certified by the same masterkey even when they don't know the userid for that masterkey.