[Enigmail] Signing subkey - different key id.

Faramir faramir.cl at gmail.com
Fri Feb 6 13:24:48 PST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ushills escribió:
> I need to see if I have done this correctly, I have created a signing
> sub-key as recommended on this mailing list to sign emails on less
> trustworthy machines without exposing my primary key.

  Good. Just don't forget to make sure the whole set of keys (the main
key with it's subkeys) are safe...

> However, when opening the email the signature does not reference my
> primary key and therefore from my perspective appears to indicate that
> the email  could be sent from someone pretending to be me with a key
> they have created themselves.

  I don't have much experience with those signatures, but since the
signing subkey is signed by your main key, and the whole set of keys are
present in your public key, I suppose it won't cause misunderstandings.
Take a look at this message, probably it will be signed with my signing
subkey...

> My primary key id is 0xBE7E87FD, however all signatures come across as
> 0xCA265DC6 is this how it is supposed to work.  I have attached my
  The attachment was lost somehow, but your public key is available at
keyservers, so there is no problem.

> Also, I set a different passphrase for the signing sub-key, however,
> when sending from thunderbird I have to enter the passphrase from my
> primary key not the sub-key, is this correct - it doesn't appear to be

  Well, what I did, was to generate the signing subkeys, export the
subkeys, and in other machine without my whole key, I imported the
subkeys. At that point, IIRC, the subkeys had the same passphrase as the
main key. I changed the passphrase, and that is what I have to enter
when I use those subkeys. If you import the subkeys to your keyring
which already has the whole set of keys, _probably_ (I am just
supposing, since I have never done that) gpg will say "I already have
those keys" and you would have to use the passphrase of the main key.

  You can test how does it works by moving your keyring to another
folder, and then, importing the subkeys to the "new" keyring. Of course,
be VERY careful when you move your keyring files, you don't want to
damage or lose it (don't forget the important files are secring.gpg,
pubring.gpg and trustdb.gpg). And remember the public key you need is
the one with the whole set of keys...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJjKqgAAoJEMV4f6PvczxATZ4H/jf4I3NAtf3VvXAKLCjARtyt
ucyfCURrbOxqTDLq2qbGMuCzrWPOnEXuuhDR1Yirhy4Q1VqjxsW5WIQhLTbKRLUR
qMIk7YW+9WWifYszfXfK1xpvD17GydW04GR/xEUEOxHCEwR6MJDxc+DiIymKVXTg
NgClIl4a8pKxglxm4TrTTAM3MI06sU6SIW8J1mtLTriEL4J9L/hMw4+U8mkQkMQ2
RPGrPketsE21Rd3u30nY3Zx0n57X3Ev05lYth+ipmeIf4UlddMWMt9g2e90JhZMf
KEHqrWyE+0bwMjbAsC/dq7s6d9y89Edp5cHEUEbU23JmxWsV3Frvatf64KcdQiY=
=lcxV
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list