Keywords: GPG keys | Key inspection | Without importing keyring | GnuPG commands | OpenPGP packets
Abstract: This article comprehensively explores techniques for viewing GPG key details without importing them into the local keyring. By analyzing various GnuPG command options, including basic key information display, machine-readable format output, and technical parsing of OpenPGP packets, it provides a complete operational guide for system administrators and security engineers. The paper also covers methods to avoid common warning messages and utilizes the pgpdump tool for deeper analysis, enabling users to safely inspect external key files without affecting their local keyring.
Introduction
In the domains of software package management and system security, GPG (GNU Privacy Guard) key verification is crucial for ensuring the trustworthiness of software sources. In many scenarios, users need to examine details of external GPG key files without importing them into the local keyring to avoid potential key pollution or conflicts. This article systematically introduces multiple methods for viewing key details based on the GnuPG toolchain.
Basic Key Information Display
GnuPG features intelligent command guessing; when users provide only a key file path without specifying a command, it automatically displays a basic summary of the key. For example, for a key file named postgresql.asc, execute the following command:
$ gpg postgresql.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2020-01-01 [SC]
1234567890ABCDEF1234567890ABCDEF12345678
uid PostgreSQL APT Repository <apt@postgresql.org>
sub rsa4096 2020-01-01 [E]The output includes the public key algorithm (e.g., RSA 4096), creation date, key usage flags ([SC] for Sign and Certify, [E] for Encrypt), and user identity information. To enhance security, it is recommended to use the --keyid-format 0xlong option to display full key IDs, avoiding insecure short key IDs:
$ gpg --keyid-format 0xlong postgresql.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096/0x1234567890ABCDEF 2020-01-01 [SC]
1234567890ABCDEF1234567890ABCDEF12345678
uid PostgreSQL APT Repository <apt@postgresql.org>
sub rsa4096/0xFEDCBA0987654321 2020-01-01 [E]Adding -v or -vv parameters provides more detailed output, including additional signatures and subkey specifics.
Machine-Readable Format Output
For automated script processing, GnuPG supports a colon-separated output format that is stable and easily parsable. Using the --with-colons option generates structured data:
$ gpg --with-colons postgresql.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub:::4096:1:1234567890ABCDEF:1577836800::::::
uid:::::::::PostgreSQL APT Repository <apt@postgresql.org>:
sub:::4096:1:FEDCBA0987654321:1577836800::::::Starting from GnuPG version 2.1.23, combining --import-options show-only with the --import command eliminates warning messages:
$ gpg --with-colons --import-options show-only --import postgresql.asc
pub:::4096:1:1234567890ABCDEF:1577836800::::::
uid:::::::::PostgreSQL APT Repository <apt@postgresql.org>:
sub:::4096:1:FEDCBA0987654321:1577836800::::::For older GnuPG versions, since warnings are printed to standard error (STDERR), key information can be separated from warnings via redirection.
Technical Details: OpenPGP Packet Parsing
To deeply analyze the internal structure of a key, the gpg --list-packets command can be used to view the raw content of OpenPGP packets:
$ gpg --list-packets postgresql.asc
:public key packet:
version 4, algo 1, created 1577836800, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 1234567890ABCDEF
:user ID packet: "PostgreSQL APT Repository <apt@postgresql.org>"
:signature packet: algo 1, keyid 1234567890ABCDEF
version 4, created 1577836800, md5len 0, sigclass 0x13
digest algo 10, begin of digest 1a 2bThis output shows packet version, algorithm identifiers, timestamps, key bit lengths, and other low-level technical parameters. Additionally, the pgpdump tool can be installed for a more user-friendly display, converting numeric algorithm IDs to readable text:
$ pgpdump postgresql.asc
Old: Public Key Packet(tag 6)(525 bytes)
Ver 4 - new
Public key creation time - Wed Jan 01 00:00:00 UTC 2020
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(4096 bits) - ...
RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(45 bytes)
User ID - PostgreSQL APT Repository <apt@postgresql.org>
Old: Signature Packet(tag 2)(310 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA512(hash 10)Fingerprint Information Display
As a supplementary method, the --show-keys option can directly display key fingerprints, which are essential for verifying key integrity:
$ gpg --show-keys --with-fingerprint postgresql.asc
pub rsa4096 2020-01-01 [SC]
1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678
uid PostgreSQL APT Repository <apt@postgresql.org>
sub rsa4096 2020-01-01 [E]In some GnuPG versions (e.g., 2.2.4), --with-subkey-fingerprint may be required to ensure subkey fingerprints are also displayed correctly.
Application Scenarios and Best Practices
These methods are valuable for verifying third-party repository keys, auditing external key files, and automating deployment scripts. It is advisable to always use long key ID formats when inspecting keys and combine them with fingerprint verification to ensure key authenticity. For production environments, key checks should first be performed in an isolated test system, with importation into the formal keyring considered only after confirmation.