gpg --fingerprint prints out completely different fingerprint

GnuPG generally resolves subkeys to the primary key if a subkey is passed as argument. This might be especially surprising when specifying an encryption subkey: GnuPG resolves the subkey to the primary key, and might actually choose another subkey for encryption (selecting the newest encryption subkey).

For listing a key, this is always performed, for some operations like encryption you can append ! to the subkey's ID (ie. D72AF3448CC2B034) to explicitly select this key and disable the primary key lookup.

To display subkey fingerprints on the command line, apply the --with-subkey-fingerprints option:

$ gpg --list-keys --with-subkey-fingerprints D72AF3448CC2B034
pub   rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07]
      F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
uid            [ unknown] OpenVPN - Security Mailing List <[email protected]>
sub   rsa4096/0xF80E8008F6D9F8D7 2017-02-09 [E] [expires: 2018-03-06]
      E6CAF699521B9B5E57A5C31BF80E8008F6D9F8D7
sub   rsa4096/0xD72AF3448CC2B034 2017-02-09 [S] [expires: 2018-03-06]
      B59606E2D8C6E10B80BE2B31D72AF3448CC2B034

gpg --fingerprint prints out completely different fingerprint

Tags:

Fingerprint

Gnupg

Pgp

Related

Recent Posts