Bug 164376

Summary: KGpg - error in key import procedure for keys with identical last 8 Hex numbers of the key ID
Product: [Applications] kgpg Reporter: Ralph Moenchmeyer <rm>
Component: generalAssignee: Rolf Eike Beer <kde>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Ralph Moenchmeyer 2008-06-18 12:40:59 UTC 
Version:            (using KDE 3.5.9)
Installed from:    SuSE RPMs
OS:                Linux

I use KGpg to handle PGP keys. I run Opensuse 10.3 (latest 3.5.9 rpms from Suse's repositories; x86_64 architecture). KGpg is of version 1.2.2. 
A friend of mine has generated his PGP keys with Thunderbird and the Enigma Plugin on a MS Windows XP system. After uploading his public key to a PGP server he found that by accident his last 8 hex numbers 0x54632776 of the key fingerprint were identical to those of another key (generated by somebody in 1998). Not a real problem for him and his email partners as long as they have a choice to import the right public key into their key ring. 

The standard import via searching the key on a key server with KGpg however leads to a complete and potentially dangerous mess: 

1) Even if you use the unique last 16 hex digits 0xF9A8C30854632776 from the key fingerprint for searching you get 2 keys as possible "choices". However, in the resulting dialog you cannot really choose which key to import.  
2) The import then automatically fetches both keys. This would not be a problem if the import were done correctly because then one could delete the unwished key. 
3)  However, after the import you get a catastrophically wrong mix of key owner names, fingerprints and key Ids. 

Please try it yourself: In the detail views for both (!) keys you get one and the same fingerprint - that of my friend containing the sequence F9A8 C308 5463 2776. However, the Key ID is displayed as B3AB 6632 5463 2773 - and this is part of the fingerprint for the key of the other guy. In addition subkeys are displayed completely mixed in the key list. 

Personally, I consider this as a severe bug. 

I then tried to import the key of my friend with Thunderbird for Windows. There the GnuPG (for Windows) program also reacts to the last 8 hex numbers, only, and directly imports both keys. However, the imported keys then appear well separated and the assciation of the fingerprints to the key owner names is right and flawless.   

By the way: The remedy to get the key into my Linux system in a clean way is to import it via a file or by directly copying it. But a normal user would search a key server. So, please eliminate the described bug !
Comment 1 Rolf Eike Beer 2008-06-18 14:35:34 UTC 

*** This bug has been marked as a duplicate of 117799 ***