Menu

The GPG Key ID / Fingerprint Information is Misplaced?

Technical Topics
kuanyui
2024-04-16
2024-04-19

  • kuanyui

    kuanyui - 2024-04-16

    On the Official Site of VeraCrypt (
    https://www.veracrypt.fr/en/Digital%20Signatures.html ), it says:

    Current Public Key:
https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc (ID=0x680D16DE
, fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE)

Old Public Key used by VeraCrypt version 1.22 and below:
https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key_2014.asc
(ID=0x54DDD393, fingerprint is 993B7D7E8E413809828F0F29EB559C7C54DDD393)

    However, I download the Current Public Key and check its basic information
    with gpg, the fingerprint is matched with the Current one
    (5069A233D55A0EEB174A5FC3821ACD02680D16DE), but ID is matched with the Old
    one (0x54DDD393).

     gpg --show-keys ./VeraCrypt_PGP_public_key.asc
pub   rsa4096 2018-09-11 [SC]
      5069A233D55A0EEB174A5FC3821ACD02680D16DE
uid                      VeraCrypt Team (2018 - Supersedes Key
ID=0x54DDD393)
sub   rsa4096 2018-09-11 [E]
sub   rsa4096 2018-09-11 [A]

    I'm a beginner of GPG though, but I still don't sure if me misunderstand
    the basic concept of public key's ID/Fingerprint, or the descriptions on
    Official Site of VeraCrypt are really wrong / contradicted?

    Last but not the least, I suggest the two public keys can be displayed as a
    HTML table on this page, or a unified fields, in my humble opinion it
    should be much more readable than current paragraph-based description and
    not easy to make mistake. For example:

    Public Keys Used to Signed VeraCrypt

    Description Key ID Fingerprint Download Link
    Current (For latest VeraCrypt) 0x680D16DE 5069A233D55A0EEB174A5FC3821ACD02680D16DE https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
    For VeraCrypt version 1.22 and below 0x54DDD393 993B7D7E8E413809828F0F29EB559C7C54DDD393 https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key_2014.asc

    Or merely rearrange the current nest lists, like this:

    To get / verify / import the public key, there are two available ways:
    1. Import from a trust public key server via Key ID / Fingerprint. (ex: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT)
    2. Directly download the public key file via the links below. (ex: after verifying the Key ID and Fingerprint via gpg --show-keys $ASC_FILE_PATH, import key viagpg --import $ASC_FILE_PATH)
    * Current Public Key:
    * Direct Download Link: https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
    * Key ID: 0x680D16DE
    * Fingerprint: 5069A233D55A0EEB174A5FC3821ACD02680D16DE
    * Old Public Key used by VeraCrypt version 1.22 and below:
    * Direct Download Link: https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key_2014.asc
    * Key ID: 0x54DDD393
    * Fingerprint: 993B7D7E8E413809828F0F29EB559C7C54DDD393

     

    Last edit: kuanyui 2024-04-16
    alternate

  • Jertzukka

    Jertzukka - 2024-04-19

    The Key ID is just the last 8 characters from the fingerprint, the new key mentions the ID of the previous key as it supersedes it and the new key is also certified by the old key. You can read more about the PGP key transition from here: https://sourceforge.net/p/veracrypt/discussion/general/thread/fcd0da57/

     

Log in to post a comment.