gnupgopenpgp

How to display gpg key details without importing it?


I have a copy of the postgresql apt repository gpg key and would like to view the details of the gpg key as it comes in the file. Is this possible without importing it into a key ring?


Solution

  • There are several detail levels you can get when looking at OpenPGP key data: a basic summary, a machine-readable output of this summary or a detailed (and very technical) list of the individual OpenPGP packets.

    Basic Key Information

    For a brief peak at an OpenPGP key file, you can simply pass the filename as parameter or pipe in the key data through STDIN. If no command is passed, GnuPG tries to guess what you want to do -- and for key data, this is printing a summary on the key:

    $ gpg a4ff2279.asc
    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub   rsa8192 2012-12-25 [SC]
          0D69E11F12BDBA077B3726AB4E1F799AA4FF2279
    uid           Jens Erat (born 1988-01-19 in Stuttgart, Germany)
    uid           Jens Erat <jens.erat@fsfe.org>
    uid           Jens Erat <jens.erat@uni-konstanz.de>
    uid           Jens Erat <jabber@jenserat.de>
    uid           Jens Erat <email@jenserat.de>
    uid           [jpeg image of size 12899]
    sub   rsa4096 2012-12-26 [E] [revoked: 2014-03-26]
    sub   rsa4096 2012-12-26 [S] [revoked: 2014-03-26]
    sub   rsa2048 2013-01-23 [S] [expires: 2023-01-21]
    sub   rsa2048 2013-01-23 [E] [expires: 2023-01-21]
    sub   rsa4096 2014-03-26 [S] [expires: 2020-09-03]
    sub   rsa4096 2014-03-26 [E] [expires: 2020-09-03]
    sub   rsa4096 2014-11-22 [A] [revoked: 2016-03-01]
    sub   rsa4096 2016-02-24 [A] [expires: 2020-02-23]
    

    By setting --keyid-format 0xlong, long key IDs are printed instead of the insecure short key IDs:

    $ gpg a4ff2279.asc                                                                 
    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub   rsa8192/0x4E1F799AA4FF2279 2012-12-25 [SC]
          0D69E11F12BDBA077B3726AB4E1F799AA4FF2279
    uid                             Jens Erat (born 1988-01-19 in Stuttgart, Germany)
    uid                             Jens Erat <jens.erat@fsfe.org>
    uid                             Jens Erat <jens.erat@uni-konstanz.de>
    uid                             Jens Erat <jabber@jenserat.de>
    uid                             Jens Erat <email@jenserat.de>
    uid                             [jpeg image of size 12899]
    sub   rsa4096/0x0F3ED8E6759A536E 2012-12-26 [E] [revoked: 2014-03-26]
    sub   rsa4096/0x2D6761A7CC85941A 2012-12-26 [S] [revoked: 2014-03-26]
    sub   rsa2048/0x9FF7E53ACB4BD3EE 2013-01-23 [S] [expires: 2023-01-21]
    sub   rsa2048/0x5C88F5D83E2554DF 2013-01-23 [E] [expires: 2023-01-21]
    sub   rsa4096/0x8E78E44DFB1B55E9 2014-03-26 [S] [expires: 2020-09-03]
    sub   rsa4096/0xCC73B287A4388025 2014-03-26 [E] [expires: 2020-09-03]
    sub   rsa4096/0x382D23D4C9773A5C 2014-11-22 [A] [revoked: 2016-03-01]
    sub   rsa4096/0xFF37A70EDCBB4926 2016-02-24 [A] [expires: 2020-02-23]
    pub   rsa1024/0x7F60B22EA4FF2279 2014-06-16 [SCEA] [revoked: 2016-08-16]
    

    Providing -v or -vv will even add some more information. I prefer printing the package details in this case, though (see below).

    Machine-Readable Output

    GnuPG also has a colon-separated output format, which is easily parsable and has a stable format. The format is documented in GnuPG doc/DETAILS file. The option to receive this format is --with-colons.

    $ gpg --with-colons a4ff2279.asc
    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub:-:8192:1:4E1F799AA4FF2279:1356475387:::-:
    uid:::::::::Jens Erat (born 1988-01-19 in Stuttgart, Germany):
    uid:::::::::Jens Erat <jens.erat@fsfe.org>:
    uid:::::::::Jens Erat <jens.erat@uni-konstanz.de>:
    uid:::::::::Jens Erat <jabber@jenserat.de>:
    uid:::::::::Jens Erat <email@jenserat.de>:
    uat:::::::::1 12921:
    sub:-:4096:1:0F3ED8E6759A536E:1356517233:1482747633:::
    sub:-:4096:1:2D6761A7CC85941A:1356517456:1482747856:::
    sub:-:2048:1:9FF7E53ACB4BD3EE:1358985314:1674345314:::
    sub:-:2048:1:5C88F5D83E2554DF:1358985467:1674345467:::
    sub:-:4096:1:8E78E44DFB1B55E9:1395870592:1599164118:::
    sub:-:4096:1:CC73B287A4388025:1395870720:1599164118:::
    sub:-:4096:1:382D23D4C9773A5C:1416680427:1479752427:::
    sub:-:4096:1:FF37A70EDCBB4926:1456322829:1582466829:::
    

    Since GnuPG 2.1.23, the gpg: WARNING: no command supplied. Trying to guess what you mean ... warning can be omitted by using the --import-options show-only option together with the --import command (this also works without --with-colons, of course):

    $ gpg --with-colons --import-options show-only --import a4ff2279
    [snip]
    

    For older versions: the warning message is printed on STDERR, so you could just read STDIN to split apart the key information from the warning.

    Technical Details: Listing OpenPGP Packets

    Without installing any further packages, you can use gpg --list-packets [file] to view information on the OpenPGP packets contained in the file.

    $ gpg --list-packets a4ff2279.asc
    :public key packet:
        version 4, algo 1, created 1356475387, expires 0
        pkey[0]: [8192 bits]
        pkey[1]: [17 bits]
        keyid: 4E1F799AA4FF2279
    :user ID packet: "Jens Erat (born 1988-01-19 in Stuttgart, Germany)"
    :signature packet: algo 1, keyid 4E1F799AA4FF2279
        version 4, created 1356516623, md5len 0, sigclass 0x13
        digest algo 2, begin of digest 18 46
        hashed subpkt 27 len 1 (key flags: 03)
    [snip]
    

    The pgpdump [file] tool works similar to gpg --list-packets and provides a similar output, but resolves all those algorithm identifiers to readable representations. It is available for probably all relevant distributions (on Debian derivatives, the package is called pgpdump like the tool itself).

    $ pgpdump a4ff2279.asc
    Old: Public Key Packet(tag 6)(1037 bytes)
        Ver 4 - new
        Public key creation time - Tue Dec 25 23:43:07 CET 2012
        Pub alg - RSA Encrypt or Sign(pub 1)
        RSA n(8192 bits) - ...
        RSA e(17 bits) - ...
    Old: User ID Packet(tag 13)(49 bytes)
        User ID - Jens Erat (born 1988-01-19 in Stuttgart, Germany)
    Old: Signature Packet(tag 2)(1083 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA1(hash 2)
        Hashed Sub: key flags(sub 27)(1 bytes)
    [snip]