GPG stores public and private keys in different places.
You output mentions : /home/kshitiz/.gnupg/pubring.gpg
which holds the "public" key (pubring)
If you want to list private keys you have to use the --list-secret-keys
switch.
As per why the key 8F64D7E0 does not get deleted, it's because you asked to destroy the private key only. Since deleting a private key does not impact the public key, there is no need for it to be cascade deleted.
For OpenPGP keys, it is not as easy as with SSH. The fingerprint is not calculated from the whole Base64-encoded public key, but only on some (binary) parts of it.
For a version 3 OpenPGP key, what you'd have to do is:
- Parse the OpenPGP public key packet
- For RSA, extract modulus and exponent
- Concatenate their binary values
- Calculate the hashsum
For step 1 and 2, you can rely the tool pgpdump
, which can parse and output the numbers using the -i
flag.
For version 4 keys, it even gets more complicated.
If you want to calculate the hashsum for educational purposes, I'd recommend extending pgpdump
instead and use all the available parser code, so you can directly work on the extracted information. I'm pretty sure handling the binary information will be easier than with pure shell code, either.
UPDATE: You used the wrong integers. Use the ones in lines RSA n
and RSA e
instead. Putting everything together in a few lines using standard tools:
pgpdump -i publickey.pub | \
grep -E '(RSA n|RSA e)' | \
cut -d'-' -f2 | \
tr -d "\n " | \
perl -e 'print pack "H*", <STDIN>' | \
md5sum
pgpdump -i
dumps the key's MPIs, which we grep
out, cut
off eeverything we don't need, tr
anslate away all the whitespace, convert to binary using perl
and finally calculate the md5sum
.
Running on the key your provided:
$ pgpdump -i publickey.pub | \
> grep -E '(RSA n|RSA e)' | \
> cut -d'-' -f2 | \
> tr -d "\n " | \
> perl -e 'print pack "H*", <STDIN>' | \
> md5sum
00c9218ed1ab7037dd67a23a0a6f8da5 -
Seems pretty much to be what we're looking for.
For the sake of completeness, the same for version 4 keys, where you need another toolchain. We need the full public key packet. To decompose an OpenPGP message, gpgsplit
comes in handy. Afterwards, you can immediately calculate the sha1sum
of the file:
gpgsplit publickey.pub; sha1sum *.public_key
For example, running on my own key:
$ gpgsplit publickey.pub; sha1sum *.public_key
0d69e11f12bdba077b3726ab4e1f799aa4ff2279 000001-006.public_key
Best Answer
Expired Keys
This is no special feature, but Torvalds primary key is expired quite some time ago, and in consequence also the subkey. The answer is hidden in GnuPG's
--list-options
section of the man pages, as by default expired subkeys are hidden. Fromman gpg2
:By specifying this argument, the subkey will show up:
Travelling Back in Time
You can also verify this using the helpful
faketime
program to set the system time back some years for GnuPG. By travelling back in time to some date where Torvalds key was valid, the subkey will show up again: