Upgrading whonix. Signing key doesnt match

activation · June 24, 2017, 9:25pm

I download patrick.asc and check the fingerprint with
gpg --keyid-format long --with-fingerprint patrick.asc
just as the Whonix Signing Key documentation instructs todo.

The fingerprint is similar but does not match the fingerprint on the website.
Website fingerprint:

pub  4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/77BB3C48 2014-01-16 [expires: 2021-04-17]

Fingerprint in konsole:

pub  4096R/**DIFFERENT** 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
  Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/**DIFFERENT** 2014-01-16 [expires: 2021-04-17]
sub  4096R/**DIFFERENT** 2014-01-16 [expires: 2021-04-17]
sub  4096R/**DIFFERENT** 2014-01-16 [expires: 2021-04-17]

Is this normal or is something terribly wrong?

HulaHoop · June 24, 2017, 11:28pm

Could you post whatever DIFFERENT is?

Hexagon · June 25, 2017, 3:59am

If it looks like this:

pub   rsa4096/8D66066A2EEACCDA 2014-01-16 [SC] [expires: 2021-04-17]
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
uid                           Patrick Schleizer <adrelanos@riseup.net>
sub   rsa4096/3B1E6942CE998547 2014-01-16 [E] [expires: 2021-04-17]
sub   rsa4096/10FDAC53119B3FD6 2014-01-16 [A] [expires: 2021-04-17]
sub   rsa4096/CB8D50BB77BB3C48 2014-01-16 [S] [expires: 2021-04-17]

then everything is fine as it just displays the long key IDs instead of the short key IDs.
The short key ID is the right half of the long key ID, so just verify that the last 8 characters of the long ID match the short ID.

Edit: I updated the wiki to display long key IDs in the example output, could someone verify these are correct and approve the edit?

Patrick · June 25, 2017, 8:14pm

The issue is that gpg output changed in the gpg version shipped by Debian jessie vs the gpg version shipped by Debian stretch. The edit is now for the newer version of gpg, but will confuse users of the older version.

Hexagon · June 26, 2017, 12:45am

Older versions of gpg should also work, the issue was that the option --keyid-format long was added but the example outputs weren’t updated accordingly.

You probably added the option because GnuPG 2.1.13 (released 2016-06-16) changed the default for --keyid-format to none (I guess short was the previous default), if you want to keep using the short key IDs just change the value for --keyid-format to short but this would be less secure against collision attacks.

Patrick · June 26, 2017, 8:35am

Even these long key id’s shouldn’t aren’t secure. If anything, it should
always be the full key id, i.e. the full key fingerprint.