[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

HulaHoop's public OpenPGP key on whonix website doesn't match the ones on the keyservers

#1

The key 04EF2F666D36C354058B9DD450C78B6F9FF2EC85 listed in this article on the whonix website:


direct link:
https://www.whonix.org/hulahoop.asc

doesn’t match the key with the same key id on public keyservers like the following:
http://pgpkeys.eu:11371/pks/lookup?search=0x04EF2F666D36C354058B9DD450C78B6F9FF2EC85&fingerprint=on&op=index

https://keyserver.ubuntu.com/pks/lookup?search=0x04EF2F666D36C354058B9DD450C78B6F9FF2EC85&op=vindex&fingerprint=on

You can compare them with the following online tool to see the difference:
https://neil.fraser.name/software/diff_match_patch/demos/diff.html

Just paste the one from the whonix website in the left field and the one from the keyserer in the right field and press the compute diff button.

Only the beginning and the end is he same. The middle isn’t the same, the key doesn’t match with the other one.
Maybe the key available on the whonix website is an old one.

I had to use pgpkeys.eu and keyserver.ubuntu.com as keyservers because keys.gnupg.net didn’t work for me at the last weekend.

#2

If the fingerprint matches, everything is ok.

OpenPGP / gpg works in some strange ways. Once someone adds a key signature to a foreign key (“signing a key”) and sends it to keyservers, the result will be that this key will have that signature integrated.

related commands:

gpg --list-sigs fingerprint
gpg --check-sigs fingerprint
2 Likes
#3

Thank you for your answer. That might explain it.