Best IT Recipes

How to display gpg key data without import?

I have a copy of the gpg key postgresql apt repository and would like to see the details of the gpg key as it is in the file. Is this possible without importing it into the keychain?

+107
gnupg openpgp
Mar 03 '14 at 1:10
source share
7 answers

When viewing OpenPGP key data, you can get several levels of detail: a basic resume, a machine-readable output from this resume, or a detailed (and very technical) list of individual OpenPGP packages.

Key Key Information

For a brief peak in the OpenPGP key file, you can simply pass the file name as a parameter or pipe to the key data via STDIN. If the command is not passed, GnuPG tries to guess what you want to do - and for key data, this is a summary of the key:

$ gpg a4ff2279.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa8192 2012-12-25 [SC] 0D69E11F12BDBA077B3726AB4E1F799AA4FF2279 uid Jens Erat (born 1988-01-19 in Stuttgart, Germany) uid Jens Erat <jens.erat@fsfe.org> uid Jens Erat <jens.erat@uni-konstanz.de> uid Jens Erat <jabber@jenserat.de> uid Jens Erat <email@jenserat.de> uid [jpeg image of size 12899] sub rsa4096 2012-12-26 [E] [revoked: 2014-03-26] sub rsa4096 2012-12-26 [S] [revoked: 2014-03-26] sub rsa2048 2013-01-23 [S] [expires: 2023-01-21] sub rsa2048 2013-01-23 [E] [expires: 2023-01-21] sub rsa4096 2014-03-26 [S] [expires: 2020-09-03] sub rsa4096 2014-03-26 [E] [expires: 2020-09-03] sub rsa4096 2014-11-22 [A] [revoked: 2016-03-01] sub rsa4096 2016-02-24 [A] [expires: 2020-02-23]

By setting --keyid-format 0xlong , long key identifiers are printed instead of insecure short key identifiers :

 $ gpg a4ff2279.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa8192/0x4E1F799AA4FF2279 2012-12-25 [SC] 0D69E11F12BDBA077B3726AB4E1F799AA4FF2279 uid Jens Erat (born 1988-01-19 in Stuttgart, Germany) uid Jens Erat <jens.erat@fsfe.org> uid Jens Erat <jens.erat@uni-konstanz.de> uid Jens Erat <jabber@jenserat.de> uid Jens Erat <email@jenserat.de> uid [jpeg image of size 12899] sub rsa4096/0x0F3ED8E6759A536E 2012-12-26 [E] [revoked: 2014-03-26] sub rsa4096/0x2D6761A7CC85941A 2012-12-26 [S] [revoked: 2014-03-26] sub rsa2048/0x9FF7E53ACB4BD3EE 2013-01-23 [S] [expires: 2023-01-21] sub rsa2048/0x5C88F5D83E2554DF 2013-01-23 [E] [expires: 2023-01-21] sub rsa4096/0x8E78E44DFB1B55E9 2014-03-26 [S] [expires: 2020-09-03] sub rsa4096/0xCC73B287A4388025 2014-03-26 [E] [expires: 2020-09-03] sub rsa4096/0x382D23D4C9773A5C 2014-11-22 [A] [revoked: 2016-03-01] sub rsa4096/0xFF37A70EDCBB4926 2016-02-24 [A] [expires: 2020-02-23] pub rsa1024/0x7F60B22EA4FF2279 2014-06-16 [SCEA] [revoked: 2016-08-16]

Providing -v or -vv will even add additional information. I prefer to print the package details in this case (see below).

Machine readable output

GnuPG also has a colon-separated output format that is easy to parse and has a stable format. The format is documented in the GnuPG doc/DETAILS . The option to get this format is with --with-colons .

 $ gpg --with-colons a4ff2279.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub:-:8192:1:4E1F799AA4FF2279:1356475387:::-: uid:::::::::Jens Erat (born 1988-01-19 in Stuttgart, Germany): uid:::::::::Jens Erat <jens.erat@fsfe.org>: uid:::::::::Jens Erat <jens.erat@uni-konstanz.de>: uid:::::::::Jens Erat <jabber@jenserat.de>: uid:::::::::Jens Erat <email@jenserat.de>: uat:::::::::1 12921: sub:-:4096:1:0F3ED8E6759A536E:1356517233:1482747633::: sub:-:4096:1:2D6761A7CC85941A:1356517456:1482747856::: sub:-:2048:1:9FF7E53ACB4BD3EE:1358985314:1674345314::: sub:-:2048:1:5C88F5D83E2554DF:1358985467:1674345467::: sub:-:4096:1:8E78E44DFB1B55E9:1395870592:1599164118::: sub:-:4096:1:CC73B287A4388025:1395870720:1599164118::: sub:-:4096:1:382D23D4C9773A5C:1416680427:1479752427::: sub:-:4096:1:FF37A70EDCBB4926:1456322829:1582466829:::

Since GnuPG 2.1.23, the warning is gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: WARNING: no command supplied. Trying to guess what you mean ... can be omitted with the --import-options show-only option along with the --import command (this also works without --with-colons , of course):

 $ gpg --with-colons --import-options show-only --import a4ff2279 [snip]

For older versions: the warning message is printed on STDERR, so you can simply read STDIN to separate the key information from the warning.

Technical Data: Listing OpenPGP Packages

Without installing any additional packages, you can use gpg --list-packets [file] to view information about the OpenPGP packages contained in the file.

 $ gpg --list-packets a4ff2279.asc :public key packet: version 4, algo 1, created 1356475387, expires 0 pkey[0]: [8192 bits] pkey[1]: [17 bits] keyid: 4E1F799AA4FF2279 :user ID packet: "Jens Erat (born 1988-01-19 in Stuttgart, Germany)" :signature packet: algo 1, keyid 4E1F799AA4FF2279 version 4, created 1356516623, md5len 0, sigclass 0x13 digest algo 2, begin of digest 18 46 hashed subpkt 27 len 1 (key flags: 03) [snip]

The pgpdump [file] tool works similarly to gpg --list-packets and provides similar output, but solves all of these algorithm identifiers for readable representations. It is available for probably all relevant distributions (in Debian derivations, the package is called pgpdump , like the tool itself).

 $ pgpdump a4ff2279.asc Old: Public Key Packet(tag 6)(1037 bytes) Ver 4 - new Public key creation time - Tue Dec 25 23:43:07 CET 2012 Pub alg - RSA Encrypt or Sign(pub 1) RSA n(8192 bits) - ... RSA e(17 bits) - ... Old: User ID Packet(tag 13)(49 bytes) User ID - Jens Erat (born 1988-01-19 in Stuttgart, Germany) Old: Signature Packet(tag 2)(1083 bytes) Ver 4 - new Sig type - Positive certification of a User ID and Public Key packet(0x13). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA1(hash 2) Hashed Sub: key flags(sub 27)(1 bytes) [snip]
+124
Mar 03 '14 at 13:11
source share

It seems I can just agree:

 $gpg <path_to_file>

Which outputs are as follows:

 $ gpg /tmp/keys/something.asc pub 1024D/560C6C26 2014-11-26 Something <something@none.org> sub 2048g/0C1ACCA6 2014-11-26

The operation did not indicate, in particular, which key information is relevant. This result is all I care about.

+27
Dec 04 '14 at 17:53
source share

To check and display the fingerprint of the key (without first importing it into the keychain), enter

 gpg --with-fingerprint <filename>

Edit: on Ubuntu 18.04 (gpg 2.2.4) fingerprint is not displayed using the command above. Use the option --with-subkey-fingerprint

 gpg --with-subkey-fingerprint <filename>
+26
Mar 08 '16 at 16:48
source share

The --list-packets parameter analyzes pgp data from the file and displays its structure in a very technical way. When analyzing the public key, you can easily extract user identifiers and key signature identifiers.

Be careful that this command only analyzes the data format, does not verify signatures or similar things.

+7
Mar 03 '14 at 13:00
source share

When I came across this answer, I was looking for a way to get a result that is easy to parse. For me, the option --with-colons did the trick:

 $ gpg --with-colons file sec::4096:1:AAAAAAAAAAAAAAAA:YYYY-MM-DD::::Name (comment) email ssb::4096:1:BBBBBBBBBBBBBBBB:YYYY-MM-DD::::

The documentation can be found here .

+2
May 10 '17 at 13:20
source share

You can also use --keyid-format to display the short or long key identifier:

 $ gpg2 -n --with-fingerprint --keyid-format=short --show-keys <filename>

which displays like this (example from the PostgreSQL CentOS repository key):

 pub dsa1024/442DF0F8 2008-01-08 [SCA] β”‚ Key fingerprint = 68C9 E2B9 1A37 D136 FE74 D176 1F16 D2E1 442D F0F8 β”‚ honor-keyserver-url uid PostgreSQL RPM Building Project <pgsqlrpms-hackers@pgfoundry.org> β”‚ When using --refresh-keys, if the key in question has a preferred keyserver URL, then use that sub elg2048/D43F1AF8 2008-01-08 [E]
+1
Jul 16 '19 at 8:51
source share

pgpdump ( https://www.lirnberger.com/tools/pgpdump/ ) is a tool that you can use to check pgp blocks.

This is not user friendly, and rather technical, however,

  • parses public or private keys (without warning)
  • it does not change any keys (sometimes, in my experience, it is not very clear what gpg does behind the hood)
  • it prints all packages, in particular user identifier packages, which display various textual key information.
 pgpdump -p test.asc New: Secret Key Packet(tag 5)(920 bytes) Ver 4 - new Public key creation time - Fri May 24 00:33:48 CEST 2019 Pub alg - RSA Encrypt or Sign(pub 1) RSA n(2048 bits) - ... RSA e(17 bits) - ... RSA d(2048 bits) - ... RSA p(1024 bits) - ... RSA q(1024 bits) - ... RSA u(1020 bits) - ... Checksum - 49 2f New: User ID Packet(tag 13)(18 bytes) User ID - test (test) <tset> New: Signature Packet(tag 2)(287 bytes) Ver 4 - new Sig type - Positive certification of a User ID and Public Key packet(0x13). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA256(hash 8) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Fri May 24 00:33:49 CEST 2019 Hashed Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x396D5E4A2E92865F Hashed Sub: key flags(sub 27)(1 bytes) Flag - This key may be used to certify other keys Flag - This key may be used to sign data Hash left 2 bytes - 74 7a RSA m^d mod n(2048 bits) - ... -> PKCS-1

unfortunately this does not read stdin: /

0
May 23 '19 at
source share


More articles:


All Articles