Downloading the same key results in different files

[Ángel]

On 2017-12-08 at 13:37 -0500, Healer64 via Gnupg-users wrote:
> Hi, as keyserver spoofing and poisoning has been a concern, I decided
> to test it by downloading the same key from the same keyserver at
> different times and from different locations.
> 
> 
> 
> When I exported the resulting keys using ascii the files were
> significantly different, 3k difference in file sizes. Is this
> expected? 
> 
> 
> 
> All the keys have the same fingerprint and the same subkeys. All the
> keys successfully verify a good signature from the source address.
> 
> 
> 
> To account for differences in software version I imported each into a
> single machine, rexported, then deleted the imported key and followed
> the same process with the next key, so each key was exported using the
> same software version. They are still different from each other and
> identical with the original. Is there any explanation for this?

Did they have the same signers?

Maybe in one case the key had extra signatures. That is the most common
reason for differences on a single key that I have seen.
Although if for instance the bigger one had an extra photo, that would
explain the difference, too.


Also note that although you can request it from "the same keyserver" (as
in the same hostname), you may actually be accessing a different server.
A host like pool.sks-keyservers.net may point to dozens of different
servers. And even if there is apparently a single one, there may be
several host balanced behind (although in that case it would be more
strange that their dbs differed significantly).