Trouble signing (was: Trouble exporting keys)

Neil Williams linux@codehelp.co.uk
Fri May 16 00:20:36 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 15 May 2003 6:18 pm, Daniel Carrera wrote:
> I'll revoke my current key later today, and start over with a 4096-bit RSA
> primary signing key.  Later I'll create a 1024-bit DSA key and a 2048-bit
> ElGamal key.  And this will do exactly what I want:
>
>  - Long-term security through the 4096-bit primary key.
>  - GPG defaults to DSA for signing.
>  - If I ever want more security, I can use ! to sign with the RSA.

I haven't revoked any keys, just started with a completely new one, generated 
exactly as above. 4096 RSA, 1024 DSA and 2048 ElGamal.  (I added a photoid 
for fun too but generating that 4096RSA took an age!!)

pub  4096R/48C5F366 2003-05-15 Neil Williams <linux@codehelp.co.uk>
uid                            [image of size 4569]
sub  1024D/F3C504D8 2003-05-15 [expires: 2004-05-14]
sub  2048g/E819E0B7 2003-05-15 [expires: 2004-05-14]
(A test key only - this will never reach a keyserver or be used on public 
messages/files/keys)

Did you mean signing documents / emails with the DSA?

gpg -u f3c504d8 --detach --sign lug.sql

gpg --verify lug.sql.sig
gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8
gpg: Good signature from "Neil Williams <linux@codehelp.co.uk>"
gpg:                 aka "[image of size 4569]"

That works.

But I couldn't get it to work for keysigning. 

gpg -u f3c504d8! --sign-key a897fd02
or
gpg -u f3c504d8 --sign-key a897fd02

Makes no odds:

pub  1024D/A897FD02 2002-01-27 Neil Williams (laptop) <linux@codehelp.co.uk>
sig!3       A897FD02 2002-01-27   Neil Williams (laptop) 
<linux@codehelp.co.uk>
sig!3       48C5F366 2003-05-15   Neil Williams <linux@codehelp.co.uk>
sub  1024g/4D6D2952 2002-01-27
sig!        A897FD02 2002-01-27   Neil Williams (laptop) 
<linux@codehelp.co.uk>

Note the new sig by the primary RSA key 48c5f366 not f3c504d8 as in the 
command.

(test sig on this key later deleted, again without updating a keyserver.)

Did I miss a stage?

If not, won't this cause confusion with regard to keysignings? The KeyID 
everyone has gotten used to on the mailings wouldn't appear in the list of 
signatures on keys. GnuPG can make sense of it, but it doesn't look very 
intuitive in the listings.

If the KeyID is the only identifier used (for anonymous keys) it'll be even 
harder to understand key signatures.

- -- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+xA2jiAEJSii8s+MRAknKAJwPYajVLRey/k7BJ+e9YQuzH2ravQCfSfCV
v6JPywUUxLZa6p4khomWfCU=
=quEz
-----END PGP SIGNATURE-----