GnuPG 2.1.16: Using "--with-fingerprint" no longer shows fingerprints

Question

Before importing a key from a file, I want to check the key's fingerprint. According to the instructions from the centos wiki, I use the command

gpg --quiet --with-fingerprint <path of key file>

If I use GnuPG 2.1.16 (self-compiled) or GnuPG 2.1.17 (OpenSUSE Tumbleweed or ArchLinux, command gpg), the output does not contain the key.

If I use GnuPG 2.1.15 (self-compiled) or GnuPG 2.1.13 (Fedora, command gpg2), the output contains the fingerprint as expected.

How do I get the fingerprint with the newer GnuPG versions?

Below is further information on my tests:

The used key file: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7

output of gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7

with GnuPG 2.1.17:

pub   rsa4096 2014-06-23 [SC]
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>

with GnuPG 2.1.16:

pub   rsa4096 2014-06-23 [SC]
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>

with GnuPG 2.1.13:

pub   rsa4096 2014-06-23 [SC]
      6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>

score 7 · Answer 1 · edited Jun 10 '18 at 21:32

This works (at least in 2.2.4):

gpg --import --import-options show-only ~/schneier.gpg

From the man page:

--import-options parameters
       import-show
       show-only
         Show  a listing of the key as imported right before it is stored.  This
         can be combined with the option --dry-run to only  look  at  keys;  the
         option  show-only  is  a shortcut for this combination.  Note that suf‐
         fixes like '#' for "sec" and "sbb" lines may or may not be printed.

sourcejedi · Answer 2 · 2019-01-25T18:15:48.543

See https://unix.stackexchange.com/a/391346/29483. Treating the keyfile as a keyring didn't work for me, but the accepted answer helped.

cat keyfile.key | gpg --with-colons --import-options import-show --dry-run --import

Tested on Debian 9 with gpg 2.1.18, and Fedora 26 with gpg2 2.2.0:

$ gpg2 --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub 
pub   dsa1024 2007-03-08 [SC]
      4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                      Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048 2007-03-08 [E]

pub   rsa4096 2016-04-12 [SC]
      EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                      Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096 2016-04-12 [S] [expires: 2019-04-12]

gpg: Total number processed: 2

It's also possible --with-fingerprint is obsolescent. GPG2 seems to have been fixed to stop outputting the insecure short key ids.

$ gpg2 --import-options import-show --dry-run --import < linux_signing_key.pub pub   dsa1024 2007-03-08 [SC]
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid                      Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048 2007-03-08 [E]

pub   rsa4096 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid                      Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096 2016-04-12 [S] [expires: 2019-04-12]

gpg: Total number processed: 2

Unfortunately I wanted machine-readable output from --with-colons, but there's something else going on there :-(.

$ gpg --with-colons --with-fingerprint --import-options import-show --dry-run --import < linux_signing_key.pub 
gpg: lookup_hashtable failed: Unknown system error
gpg: trustdb: searching trust record failed: Unknown system error
gpg: Error: The trustdb is corrupted.
gpg: You may try to re-create the trustdb using the commands:
gpg:   cd ~/.gnupg
gpg:   gpg --export-ownertrust > otrust.tmp
gpg:   rm trustdb.gpg
gpg:   gpg --import-ownertrust < otrust.tmp
gpg: If that does not work, please consult the manual

I ended up using the following code

gpg_show_fingerprints() {
    gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1" >/dev/null 2>&1
    if [ "$?" == 2 ]; then
        # Usage error.  Try the old way.
        gpg2 --with-fingerprint "$1"
    else
        gpg2 --with-fingerprint --import-options import-show --dry-run --import < "$1"
    fi
}

gpg_show_fingerprints "$1" |
    sed -E -n -e 's/.*(([0-9A-F]{4}[ ]*){10,}).*/\1/ p'

score 3 · Answer 3 · edited Mar 17 '22 at 17:30

3

Interestingly enough, omitting the --with-fingerprint option prints the fingerprint but without space formatting. Using gpg version 2.2.20.

$ gpg RPM-GPG-KEY-CentOS-7
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2014-06-23 [SC]
      6341AB2753D78A78A7C27BB124C6A8A7F4A80EB5
uid           CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>

edited Mar 17 '22 at 17:30

Hrishikesh Kadam

437

answered Oct 22 '20 at 16:37

bocekm

31

That's not the fingerprint, that's the key ID. The fingerprint it's the last 8 characters of the key ID – robertspierre Mar 26 '21 at 17:47

score 0 · Answer 4 · answered Mar 16 '22 at 16:38

gpg --show-keys --fingerprint RPM-GPG-KEY-CentOS-7
pub   rsa4096 2014-06-23 [SC]
      6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
uid                      CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>

From GPG manual -

       --show-keys
              This  commands  takes OpenPGP keys as input and prints information about them
              in the same way the command --list-keys does for locally stored key.  In  ad‐
              dition the list options show-unusable-uids, show-unusable-subkeys, show-nota‐
              tions and show-policy-urls are also enabled.  As usual for automated process‐
              ing, this command should be combined with the option --with-colons.
   --fingerprint
          List  all keys (or the specified ones) along with their fingerprints. This is
          the same output as --list-keys but with the additional output of a line  with
          the  fingerprint. May also be combined with --check-signatures.  If this com‐
          mand is given twice, the fingerprints of all secondary keys are  listed  too.
          This  command also forces pretty printing of fingerprints if the keyid format
          has been set to &quot;none&quot;.

   --with-fingerprint
          Same  as  the command --fingerprint but changes only the format of the output
          and may be used together with another command.

My GnuPG version is 2.2.20

References -

https://serverfault.com/a/1059889/619144

GnuPG 2.1.16: Using "--with-fingerprint" no longer shows fingerprints

4 Answers4