gpg --fingerprint: Verify a Key Identity
gpg --fingerprint prints the 40-hex-character fingerprint that uniquely identifies a key.
Short key IDs can collide, so pin on the full fingerprint. In CI you verify that the imported key matches the fingerprint you expect before trusting it.
What it does
gpg --fingerprint prints the full SHA-1 fingerprint (40 hex characters) of each matching key. The fingerprint is the safe way to reference a key, since short and long key IDs are only the last bytes of it and can collide.
Common usage
gpg --fingerprint you@example.com
# fail the job if the imported key is not the expected one
EXPECTED="ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234"
gpg --fingerprint --with-colons you@example.com \
| awk -F: '/^fpr:/ {print $10; exit}' | grep -q "$EXPECTED"Options
| Flag | What it does |
|---|---|
| --fingerprint | Print the key fingerprint |
| --with-colons | Machine-readable fpr records |
| --with-subkey-fingerprints | Also print subkey fingerprints |
| --keyid-format 0xlong | Show key IDs in 0x-prefixed long form |
In CI
Pin trust on the full fingerprint, never the 8-hex short ID. After importing a verification key, compare its fingerprint against a value you control and fail the job on mismatch, so a swapped key cannot slip through.
Common errors in CI
"gpg: error reading key: No public key" means the identifier matched nothing in the keyring; import the key first. Comparing fingerprints with embedded spaces (the human-readable form groups them) fails string matches; use --with-colons output, which has no spaces.