Re: Generating bitwise identical keyrings with GnuPG 1 + 2

Fri, 13 Sep 2019 12:31:42 -0700 

* On 9/6/19 12:33 AM, Ángel wrote:

I'm baffled by this.

Could you run gpg2 --list-packets on both keyrings and compare their
outputs?

That should hint which packets are being included by 1.4 that are not by
2.2


Hmm, interesting indeed.

The output is *almost* the same.

A diff looks like that (truncated, but you'll get the general idea):


--- keyringdump.gpg2    2019-09-13 20:50:26.839951269 +0200
+++ keyringdump.gpg1    2019-09-13 20:50:44.186005825 +0200
@@ -19,13 +19,15 @@
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID E1F958385BFE2B6E)
        data: [2046 bits]
-# off=635 ctb=b9 tag=14 hlen=3 plen=269
+# off=635 ctb=b0 tag=12 hlen=2 plen=2
+:trust packet: sig flag=00 sigcache=03
+# off=639 ctb=b9 tag=14 hlen=3 plen=269
 :public sub key packet:
        version 4, algo 1, created 1299793310, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: 71F21F68F489CDCF
-# off=907 ctb=89 tag=2 hlen=3 plen=287
+# off=911 ctb=89 tag=2 hlen=3 plen=287
 :signature packet: algo 1, keyid E1F958385BFE2B6E
        version 4, created 1299793310, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 77 f5
@@ -33,7 +35,9 @@
        hashed subpkt 27 len 1 (key flags: 0C)
        subpkt 16 len 8 (issuer key ID E1F958385BFE2B6E)
        data: [2044 bits]
-# off=1197 ctb=99 tag=6 hlen=3 plen=418
+# off=1201 ctb=b0 tag=12 hlen=2 plen=2
+:trust packet: sig flag=00 sigcache=03
+# off=1205 ctb=99 tag=6 hlen=3 plen=418
 :public key packet:
        version 4, algo 17, created 1234173545, expires 0
        pkey[0]: [1024 bits]
It looks like the gpg1 output has additional "trust" packets. Are that owner trust values? I wonder why gpg2 doesn't generate these packets?
According to RFC 4880 these are really owner trust values that SHOULD NOT be exported to files that are supposed to be handed to other users, but GPG can't determine whether such a keyring file will be used locally or not.
Either way, my best guess is that GPG 2.2+ drops the trust packets because the trust is not explicitly set (i.e., default value) - as an optimization. Can I instruct gpg2 to not do that? --export-ownertrust doesn't seem appropriate and then there's also the special concept of a trustdb, so I don't quite understand why trust packets would be exported to keyrings in the first place? 



Mihai

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to