Re: [Tails-dev] An amusing tale of indeterminism

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: maioral
CC: The Tails public development discussion list
Oggetto: Re: [Tails-dev] An amusing tale of indeterminism
maioral wrote (14 Nov 2012 17:26:24 GMT) :
> i downloaded a new tails sign key from your site and size is
> different, as verification also is


Comparing key exports just does not work: even if only the version of
GnuPG used to export the keys changes, the result won't be the same.

So, I'm happy to teach you that your comparison process is flawed,
which is actually good news :)

You're comparing two different exports of the same key.
The first is expired, the second is not.
Which means that the second has updated self-signatures.
Which implies that exporting these two keys cannot possibly create two
files of same size, and is highly unlikely to produce files with the
same hashes.

An easy and useful way to compare OpenPGP keys is to import them,
and compare fingerprint(s).