-1

I was trying to verify signature of linux-firmware with GnuPG

  1. gpg --locate-keys jboyer@redhat.com
  2. I've got publick key with : gpg --export --armor | less This key have 88 lines
  3. I used public PGP server and found public key at https://pgp.surfnet.nl/pks/lookup?search=jboyer%40redhat.com
  4. I start to compare locate-keys key with one form public key server - they have same fingerpring, same at begining but don't match after a middle of short 88 lines version.
  5. I imported key from PGP server and make gpg --export --armor | less again - this key had 945 lines
  6. gpg --verify linux-firmware-20210208.tar.asc showed same Primary key fingerpring and no errors for both keys - short 88 lines from gpg -locate-keys and long 945 lines from public server

I am comparing "PGP PUBLIC KEY BLOCK" of two same keys jboyer@redhat.com with same fingerprint but different length.

Why there is two public keys with same fingerprints and different length?

Vitalij Chepelev
  • 33
  • 3
  • sumular question without proper answer https://security.stackexchange.com/questions/60828/what-does-the-pgp-public-key-length-depend-on – Vitalij Chepelev Apr 02 '22 at 17:58

1 Answers1

0
gpg --list-packets keyfile

showed me that "PGP PUBLIC KEY BLOCK" has complex format and keep some history within "signature packet" blocks that I don't understand for now. Two keys has differen count of "signature packat" blocks.

Vitalij Chepelev
  • 33
  • 3