Skip to content
Latchkey

gpg --fingerprint: Verify a Key Identity

gpg --fingerprint prints the 40-hex-character fingerprint that uniquely identifies a key.

Short key IDs can collide, so pin on the full fingerprint. In CI you verify that the imported key matches the fingerprint you expect before trusting it.

What it does

gpg --fingerprint prints the full SHA-1 fingerprint (40 hex characters) of each matching key. The fingerprint is the safe way to reference a key, since short and long key IDs are only the last bytes of it and can collide.

Common usage

Terminal
gpg --fingerprint you@example.com
# fail the job if the imported key is not the expected one
EXPECTED="ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234"
gpg --fingerprint --with-colons you@example.com \
  | awk -F: '/^fpr:/ {print $10; exit}' | grep -q "$EXPECTED"

Options

FlagWhat it does
--fingerprintPrint the key fingerprint
--with-colonsMachine-readable fpr records
--with-subkey-fingerprintsAlso print subkey fingerprints
--keyid-format 0xlongShow key IDs in 0x-prefixed long form

In CI

Pin trust on the full fingerprint, never the 8-hex short ID. After importing a verification key, compare its fingerprint against a value you control and fail the job on mismatch, so a swapped key cannot slip through.

Common errors in CI

"gpg: error reading key: No public key" means the identifier matched nothing in the keyring; import the key first. Comparing fingerprints with embedded spaces (the human-readable form groups them) fails string matches; use --with-colons output, which has no spaces.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →