30

Is there some tool to write out the actual content of a GnuPG public key in a way a human can unserstand? I mean not only ascii-armor which a human can read and type, but something which really breaks down the data into large decimal numbers for the crypto part, strings for the UIDs, and so on? I'd really like to see what's in there.

Actual application today: I've two keys from the same person, created at the same date, but differing in fingerprint. The assumption is that one of them was created from the other by some kind of conversion, probably by importing the older key into a keychaing using recent software. I'd like to see what actually changed. Perhaps it's only the fingerprinting algorithm which changed, but perhaps there is more to it.

MvG
  • 1,519

5 Answers5

28

Try 

gpg --list-packets --verbose < pubkey.asc

It doesn't dump the key data, but it shows all the other details. To dump additional raw data parts you need debug flag 2, so add --debug 0x02, this will dump the keys and other data in hex. This works in GPG versions 1.2 and 1.4, but sadly not in 2.0 as support for dumping bignum (MPI) data is not enabled (see DBG_MPI in g10/parse-packet.c) for some reason.

Also try pgpdump:

pgpdump < pubkey.asc
mr.spuratic
  • 2,758
4

While waiting for answers, I read RFC4880 (OpenPGP) and came up with some code of my own to parse and print the relevant portion of an exported packet stream. Far from complete, but it might be useful to others, so I'm posting this as well. Right now I see little benefit over that pgpdump suggested by @grawity, but who knows…

Community
  • 1
MvG
  • 1,519
3

I've used pgpdump It works well, and shows nice human-readable output. It doesn't yet print Elliptic Curve keys, but it will at least tell you it is an EC key. If you select the "dump literals" option, it will show you the actual key data.

friederbluemle
  • 1,112
Brian Minton
  • 611
2

pgpdump is good, and there is also sq packet dump, from the sequoia project, which I find more readable:

sq packet dump /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
Public-Key Packet, old CTB, 525 bytes
    Version: 4
    Creation time: 2018-09-17 15:01:46 UTC
    Pk algo: RSA
    Pk size: 4096 bits
    Fingerprint: F6ECB3762474EDA9D21B7022871920D1991BC93C
    KeyID: 871920D1991BC93C

User ID Packet, old CTB, 66 bytes
    Value: Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>


Signature Packet, old CTB, 568 bytes
    Version: 4
    Type: PositiveCertification
    Pk algo: RSA
    Hash algo: SHA512
    Hashed area:
      Signature creation time: 2018-09-17 15:01:46 UTC
      Key flags: CS
      Symmetric algo preferences: AES256, AES192, AES128, CAST5, TripleDES
      Hash preferences: SHA256, SHA1, SHA384, SHA512, SHA224
      Compression preferences: Zlib, BZip2, Zip
      Features: MDC
      Keyserver preferences: no modify
    Unhashed area:
      Issuer: 871920D1991BC93C
    Digest prefix: 2C73
    Level: 0 (signature over data)


Signature Packet, old CTB, 563 bytes
    Version: 4
    Type: GenericCertification
    Pk algo: RSA
    Hash algo: SHA512
    Hashed area:
      Issuer Fingerprint: 153F1C9EF1395FBF00352E8D0BFB847F3F272F5B
      Signature creation time: 2018-09-17 15:12:03 UTC
    Unhashed area:
      Issuer: 0BFB847F3F272F5B
    Digest prefix: 6E17
    Level: 0 (signature over data)

Repo is at https://gitlab.com/sequoia-pgp/sequoia, crate is at https://lib.rs/crates/sequoia-sq), installable from cargo and many good package managers (Debian/Ubuntu/Arch/Fedora…)

Tobu
  • 2,781
0

Is someone able to expalain to me where "gpg --list-packets --verbose < pubkey.asc" or any other snippit? i dont even know what they are called, mini scripts. what is done with them, and what program or app is used to run that snippit or add that snippit or use. Is there a 101 link to understand this? i have a problem where, kleopatra's exported public key is denied by mozilla thunderbird when i am trying ty add encryption.

Dewy
  • 1