Home / ubuntu / Questions / 725516
Accepted
Ebrahim Ghasemi
Asked: 2016-01-26 09:53:43 +0800 CST

What keys is GnuPG using for signature verification?

  • 772

Let assume that I have a list of three key pair on my bash screen when I run the following commands:

gpg2 --list-keys

and

gpg2 --list-secret-keys

My question is, when I run the following command to verify a signed file, which key pair is used by this tool?

gpg2 --verify test.sig

Does it check all the signing keys one by one to find a matched one or finish all the keys?

encryption

1 Answers

  1. Best Answer

    An OpenPGP signature includes a reference to the key used for signing. GnuPG will use this exact key to verify the signature.

    An example for some document signed by my own key, analyzed using gpg --list-packets:

    :compressed packet: algo=1
:onepass_sig packet: keyid 8E78E44DFB1B55E9
    version 3, sigclass 0x00, digest 2, pubkey 1, last=1
:literal data packet:
    mode b (62), created 1453746673, name="",
    raw data: 4 bytes
:signature packet: algo 1, keyid 8E78E44DFB1B55E9
    version 4, created 1453746673, md5len 0, sigclass 0x00
    digest algo 2, begin of digest fc 6a
    hashed subpkt 2 len 4 (sig created 2016-01-25)
    subpkt 16 len 8 (issuer key ID 8E78E44DFB1B55E9)
    data: [4095 bits]

    8E78E44DFB1B55E9 is a signing subkey used for the signature (I enabled long key IDs, in case you wonder about the 16 character hex IDs).

    For encryption, it is possible to hide the recipient key. In this case, GnuPG has to try all available encryption keys to decrypt the message.

    Further keys might be involved for validating the signature, which means finding trust paths in the web of trust: but this is another, large topic.

    • 2