How can a public key contain several public keys with GPG (or what am I doing wrong)?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub
) for apt package verification on in-house packages.
Adding this key with apt-key add somekey.pub
results in TWO additional entries showing in apt-key list
, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)
How is this possible? Inspecting the key with less
shows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----
I also used gpg
to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub
), so that I could put the keyring in /etc/apt/trusted.gpg.d/
on other Ubuntu servers rather than running the apt-key add
command.
Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys
confirms that it has two keys. Here is the output, munged slightly:
pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31
pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31
This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub
would only contain a single public key - so the above results surprised me.
Where is the documentation that will allow me to make sense of this?
apt gpg apt-key
add a comment |Â
up vote
2
down vote
favorite
I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub
) for apt package verification on in-house packages.
Adding this key with apt-key add somekey.pub
results in TWO additional entries showing in apt-key list
, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)
How is this possible? Inspecting the key with less
shows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----
I also used gpg
to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub
), so that I could put the keyring in /etc/apt/trusted.gpg.d/
on other Ubuntu servers rather than running the apt-key add
command.
Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys
confirms that it has two keys. Here is the output, munged slightly:
pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31
pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31
This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub
would only contain a single public key - so the above results surprised me.
Where is the documentation that will allow me to make sense of this?
apt gpg apt-key
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun trygpg --expert --edit-key yourkey@domain
... and thenhelp
in the interactive interface. You will notice anaddkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
â RubberStamp
Sep 8 at 22:47
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub
) for apt package verification on in-house packages.
Adding this key with apt-key add somekey.pub
results in TWO additional entries showing in apt-key list
, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)
How is this possible? Inspecting the key with less
shows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----
I also used gpg
to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub
), so that I could put the keyring in /etc/apt/trusted.gpg.d/
on other Ubuntu servers rather than running the apt-key add
command.
Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys
confirms that it has two keys. Here is the output, munged slightly:
pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31
pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31
This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub
would only contain a single public key - so the above results surprised me.
Where is the documentation that will allow me to make sense of this?
apt gpg apt-key
I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub
) for apt package verification on in-house packages.
Adding this key with apt-key add somekey.pub
results in TWO additional entries showing in apt-key list
, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.)
How is this possible? Inspecting the key with less
shows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
(41 lines snipped)
-----END PGP PUBLIC KEY BLOCK-----
I also used gpg
to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub
), so that I could put the keyring in /etc/apt/trusted.gpg.d/
on other Ubuntu servers rather than running the apt-key add
command.
Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys
confirms that it has two keys. Here is the output, munged slightly:
pub 1024R/4AAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Dev Repo Key) <joesysadmin@example.com>
sub 1024R/9FFFFFFF 2018-08-31
pub 2048R/BAAAAAAA 2018-08-31
uid Joe Sysadmin (Ubuntu Repo Repo Key) <joesysadmin@example.com>
sub 2048R/1EEEEEEE 2018-08-31
This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub
would only contain a single public key - so the above results surprised me.
Where is the documentation that will allow me to make sense of this?
apt gpg apt-key
apt gpg apt-key
asked Sep 7 at 22:48
Wildcard
22.1k859154
22.1k859154
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun trygpg --expert --edit-key yourkey@domain
... and thenhelp
in the interactive interface. You will notice anaddkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
â RubberStamp
Sep 8 at 22:47
add a comment |Â
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun trygpg --expert --edit-key yourkey@domain
... and thenhelp
in the interactive interface. You will notice anaddkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.
â RubberStamp
Sep 8 at 22:47
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try
gpg --expert --edit-key yourkey@domain
... and then help
in the interactive interface. You will notice an addkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.â RubberStamp
Sep 8 at 22:47
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try
gpg --expert --edit-key yourkey@domain
... and then help
in the interactive interface. You will notice an addkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.â RubberStamp
Sep 8 at 22:47
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx
) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.
Distributions of GnuPG usually include gpg-split
, which can be used to split apart the individual OpenPGP packets. To compose them again, just concat
enate them again (and gpg --enarmor
if you prefer the ASCII-armored encoding).
OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx
) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.
Distributions of GnuPG usually include gpg-split
, which can be used to split apart the individual OpenPGP packets. To compose them again, just concat
enate them again (and gpg --enarmor
if you prefer the ASCII-armored encoding).
OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.
add a comment |Â
up vote
2
down vote
An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx
) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.
Distributions of GnuPG usually include gpg-split
, which can be used to split apart the individual OpenPGP packets. To compose them again, just concat
enate them again (and gpg --enarmor
if you prefer the ASCII-armored encoding).
OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.
add a comment |Â
up vote
2
down vote
up vote
2
down vote
An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx
) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.
Distributions of GnuPG usually include gpg-split
, which can be used to split apart the individual OpenPGP packets. To compose them again, just concat
enate them again (and gpg --enarmor
if you prefer the ASCII-armored encoding).
OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.
An OpenPGP message can be constructed of rather arbitrary OpenPGP packets -- including multiple primary keys. In fact, a "classic" GnuPG keyring not in Keybox format (.kbx
) is just a single OpenPGP message with all keys lined up. The only difference to your keyring is that yours is ASCII-armored, which is just another encoding made for transmission over early communication protocols like e-mail that did only support the original 127 ASCII-characters at first.
Distributions of GnuPG usually include gpg-split
, which can be used to split apart the individual OpenPGP packets. To compose them again, just concat
enate them again (and gpg --enarmor
if you prefer the ASCII-armored encoding).
OpenPGP would even offer a second way to include multiple OpenPGP public keys: usually and following best practice (and for some cryptographic algorithms as a technical requirement), multiple keys are created. A primary key is generated only to be used for key management (and maybe signing tasks), while one or more subkeys bound to the primary key are used for "day to day" operation. "How many OpenPGP keys should I make" offers a slightly more in-depth discussion of subkeys.
answered Sep 8 at 6:12
Jens Erat
1,250926
1,250926
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f467639%2fhow-can-a-public-key-contain-several-public-keys-with-gpg-or-what-am-i-doing-wr%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
A 1024-bit and a 2048-bit key in the same file is what it looks like to me.
â Fabby
Sep 7 at 23:29
@Fabby, expand that just a tad and you'd have an answer. :)
â Wildcard
Sep 8 at 2:09
A PGP key is more like a key wallet than a single key. The main key pair is used as a "wallet lock" if you will... for some fun try
gpg --expert --edit-key yourkey@domain
... and thenhelp
in the interactive interface. You will notice anaddkey
option. So, a PGP key can have numerous subkeys. Each subkey is a public/private key pair. It's not uncommon to create a Master Key, and then create a "detached" subkey pair for daily use... which creates a long term key and a short term key... see here for lots of info and fun.â RubberStamp
Sep 8 at 22:47