How can a public key contain several public keys with GPG (or what am I doing wrong)?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub) for apt package verification on in-house packages.



Adding this key with apt-key add somekey.pub results in TWO additional entries showing in apt-key list, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)



How is this possible? Inspecting the key with less shows:



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----


I also used gpg to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub), so that I could put the keyring in /etc/apt/trusted.gpg.d/ on other Ubuntu servers rather than running the apt-key add command.



Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys confirms that it has two keys. Here is the output, munged slightly:



pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31

pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31


This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub would only contain a single public key - so the above results surprised me.



Where is the documentation that will allow me to make sense of this?










share|improve this question





















  • A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
    – Fabby
    Sep 7 at 23:29











  • @Fabby, expand that just a tad and you'd have an answer. :)
    – Wildcard
    Sep 8 at 2:09










  • A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
    – RubberStamp
    Sep 8 at 22:47














up vote
2
down vote

favorite












I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub) for apt package verification on in-house packages.



Adding this key with apt-key add somekey.pub results in TWO additional entries showing in apt-key list, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)



How is this possible? Inspecting the key with less shows:



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----


I also used gpg to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub), so that I could put the keyring in /etc/apt/trusted.gpg.d/ on other Ubuntu servers rather than running the apt-key add command.



Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys confirms that it has two keys. Here is the output, munged slightly:



pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31

pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31


This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub would only contain a single public key - so the above results surprised me.



Where is the documentation that will allow me to make sense of this?










share|improve this question





















  • A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
    – Fabby
    Sep 7 at 23:29











  • @Fabby, expand that just a tad and you'd have an answer. :)
    – Wildcard
    Sep 8 at 2:09










  • A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
    – RubberStamp
    Sep 8 at 22:47












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub) for apt package verification on in-house packages.



Adding this key with apt-key add somekey.pub results in TWO additional entries showing in apt-key list, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)



How is this possible? Inspecting the key with less shows:



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----


I also used gpg to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub), so that I could put the keyring in /etc/apt/trusted.gpg.d/ on other Ubuntu servers rather than running the apt-key add command.



Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys confirms that it has two keys. Here is the output, munged slightly:



pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31

pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31


This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub would only contain a single public key - so the above results surprised me.



Where is the documentation that will allow me to make sense of this?










share|improve this question













I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub) for apt package verification on in-house packages.



Adding this key with apt-key add somekey.pub results in TWO additional entries showing in apt-key list, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)



How is this possible? Inspecting the key with less shows:



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----


I also used gpg to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub), so that I could put the keyring in /etc/apt/trusted.gpg.d/ on other Ubuntu servers rather than running the apt-key add command.



Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys confirms that it has two keys. Here is the output, munged slightly:



pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31

pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31


This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub would only contain a single public key - so the above results surprised me.



Where is the documentation that will allow me to make sense of this?







apt gpg apt-key






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 7 at 22:48









Wildcard

22.1k859154




22.1k859154











  • A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
    – Fabby
    Sep 7 at 23:29











  • @Fabby, expand that just a tad and you'd have an answer. :)
    – Wildcard
    Sep 8 at 2:09










  • A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
    – RubberStamp
    Sep 8 at 22:47
















  • A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
    – Fabby
    Sep 7 at 23:29











  • @Fabby, expand that just a tad and you'd have an answer. :)
    – Wildcard
    Sep 8 at 2:09










  • A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
    – RubberStamp
    Sep 8 at 22:47















A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
– Fabby
Sep 7 at 23:29





A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
– Fabby
Sep 7 at 23:29













@Fabby, expand that just a tad and you'd have an answer. :)
– Wildcard
Sep 8 at 2:09




@Fabby, expand that just a tad and you'd have an answer. :)
– Wildcard
Sep 8 at 2:09












A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
– RubberStamp
Sep 8 at 22:47




A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try gpg --expert --edit-key yourkey@domain ... and then help in the interactive interface. You will notice an addkey option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
– RubberStamp
Sep 8 at 22:47










1 Answer
1






active

oldest

votes

















up vote
2
down vote













An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.



Distributions of GnuPG usually include gpg-split, which can be used to split apart the individual OpenPGP packets. To compose them again, just concatenate them again (and gpg --enarmor if you prefer the ASCII-armored encoding).



OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f467639%2fhow-can-a-public-key-contain-several-public-keys-with-gpg-or-what-am-i-doing-wr%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.



    Distributions of GnuPG usually include gpg-split, which can be used to split apart the individual OpenPGP packets. To compose them again, just concatenate them again (and gpg --enarmor if you prefer the ASCII-armored encoding).



    OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.






    share|improve this answer
























      up vote
      2
      down vote













      An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.



      Distributions of GnuPG usually include gpg-split, which can be used to split apart the individual OpenPGP packets. To compose them again, just concatenate them again (and gpg --enarmor if you prefer the ASCII-armored encoding).



      OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.






      share|improve this answer






















        up vote
        2
        down vote










        up vote
        2
        down vote









        An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.



        Distributions of GnuPG usually include gpg-split, which can be used to split apart the individual OpenPGP packets. To compose them again, just concatenate them again (and gpg --enarmor if you prefer the ASCII-armored encoding).



        OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.






        share|improve this answer












        An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.



        Distributions of GnuPG usually include gpg-split, which can be used to split apart the individual OpenPGP packets. To compose them again, just concatenate them again (and gpg --enarmor if you prefer the ASCII-armored encoding).



        OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Sep 8 at 6:12









        Jens Erat

        1,250926




        1,250926



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f467639%2fhow-can-a-public-key-contain-several-public-keys-with-gpg-or-what-am-i-doing-wr%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?