Saturday 26th October 2019
I was recently investigating a suspicious GPG key for one of my domains that had shown some activity on the key servers after been dormant for nearly 10 years. The key wasn't mine, and since anybody can create a key with any name and email address, this wasn't indicative of a breach or imposter. However, it was intriguing to see what this automated system, spammer, or whoever they may be, was trying to do with the key.
PGP/GPG key server output can sometimes be quite confusing, especially if a key has multiple subkeys, user IDs and signatures. This prompted me to create a reference guide for PGP/GPG key server output, to help anyone else who may be in a similar situation.
Below is the key server entry for
Alice <firstname.lastname@example.org>, signed by
Bob <email@example.com>, which are sample keys that I created. You can click on any part to find out what it means:
Type bits/keyID cr. time exp time key expir pub rsa4096/a40ced0a9eaba810f55bb88ca41a7776121ce43c Hash=f24c4ff33f09e7da1b0cb2cf72cb2be3 uid Alice <firstname.lastname@example.org> sig sig a41a7776121ce43c 2019-10-19T21:43:52Z 2020-10-18T21:43:52Z ____________________ [selfsig] sig sig 24b1fb13f1b3b06c 2019-10-19T21:51:07Z ____________________ ____________________ 24b1fb13f1b3b06c uid Alice (Alt Email) <email@example.com> sig sig a41a7776121ce43c 2019-10-19T21:34:23Z 2020-10-18T21:34:23Z ____________________ [selfsig] sig sig 24b1fb13f1b3b06c 2019-10-19T21:51:08Z ____________________ ____________________ 24b1fb13f1b3b06c sub dsa3072/d7cff40b9c95ede5f8d10b62e91a02198a286d8f 2019-10-19T23:05:19Z sig sbind a41a7776121ce43c 2019-10-19T23:05:19Z ____________________ 2020-10-18T23:05:19Z  sub rsa4096/b8d4d1ab55a0f662596c52ab47652ce725cb3e8f 2019-10-19T21:16:21Z sig sbind a41a7776121ce43c 2019-10-19T21:16:21Z ____________________ 2020-10-18T21:16:21Z 
The type of the following entry. Common values are:
You may also see the following values when using GPG locally:
sec(Secret Key / Private Key)
ssb(Secret Subkey / Private Subkey)
The type of key. Common values are:
dsa(Digital Signature Algorithm)
The size of the key, in bits. Usually between 1024 and 4096. 2048 is the modern bare-minimum, with 4096 recommended for futureproofing. DSA keys are limited to 3072 bits in GPG.
The ID of the key, or if shown in a signature, the ID of the key that made the signature. Key IDs can be represented in multiple different ways:
Fingerprint: a40c ed0a 9eab a810 f55b b88c a41a 7776 121c e43c Long ID: a41a 7776 121c e43c Short ID: 121c e43c
When using GPG locally, you can choose which key ID format to use when listing keys:
gpg --keyid-format long --list-keys
gpg --keyid-format short --list-keys
Only fingerprints should be used nowadays, as brute-force techniques can be used to create 'unofficial' keys where the long or short key IDs collide with other 'legitimate' keys. This results in ambiguous trust, as a long or short key ID may match more keys than the one you are expecting.
An MD5 digest of the key.
For some reason information about this is very sparse. From what I can gather, it seems to be something to do with SKS, rather than OpenPGP or GPG directly.
The source code for the Hockeypuck key server software provides some clues and confirms that it is definitely MD5. If anyone knows more about this, please get in touch.
The user ID of the key or subkey, consisting of a name and email address, and optionally a comment and/or photograph.
First Last (Comment) <firstname.lastname@example.org>
User IDs can be added, edited and removed using the
--edit-keys option, which will bring up an interactive GPG shell. Some of the most common commands are:
list: List keys and UIDs
adduid: Add a UID
uid N: Select a UID number to edit
deluid: Delete the selected UID
primary: Make the selected UID the primary UID
trust: Change the trust level of the selected key
help: Show a help dialog
The level of trust asserted by a specific signature. In the OpenPGP specification this is represented by the hex values
0x13, and displayed by GnuPG as
sig: No indication
sig1: Personal belief but no verification
sig2: Casual verification
sig3: Extensive verification
sbind is used to represent the creation of the key/record, including the creation time.
When using GnuPG to create a signature, you can use the
--ask-cert-level option to set the certification level.
A time stamp, represented in ISO8601 format, with the
Z meaning 'Zulu', or UTC.
There are three columns of time stamps:
cr. time': Creation time of the key or signature
exp time': Expiry time of the signature
key expir': Expiry time of the key
Blank time stamps, represented as 20 underscores (
____________________), indicate that a key or signature is set to not expire.
Indicates that this is a self signature, whereby the users' own private key was used to sign their public key. This is done by default in most modern OpenPGP implementations.
There is very little documentation as to the actual purpose of the square brackets at the end of
sig sbind lines. They seem to just be a placeholder for notes such as
However, the source code for the Hockeypuck GPG key server software seems to indicate that
selfsig is the only possible value. If anybody has any further insight into this, please get in touch.