An OpenPGP key distributed as ASCII armor is a Base64 wrapper (with a CRC-24 checksum) around a sequence of binary packets defined by RFC 4880. The first packet is the primary public key; it is followed by User ID packets, signatures, and one or more subkeys. This inspector de-armors the block, walks the packets, and computes the version-4 fingerprint so you can confirm a key’s identity before trusting it.
How it works
- De-armor: strip the
-----BEGIN ...-----lines and the CRC line, then Base64-decode the body to raw bytes. - Parse packets: each packet has a tag and a length; the tool reads the tag (public key = 6, public subkey = 14, User ID = 13) and slices out its body.
- Read the primary key: version, creation timestamp, and the public-key algorithm byte.
- Compute the fingerprint for v4 keys: hash
0x99 ‖ two-byte-length ‖ key-packet-bodywith SHA-1; the result is the fingerprint, and its low 8 bytes are the key ID.
User IDs are decoded as UTF-8 text (typically Name <email>), and each subkey is parsed the same way as the primary.
Example output
A decoded key looks like:
Algorithm: EdDSA (Ed25519)
Created: 2024-09-12T10:00:00Z
Key ID: A1B2C3D4E5F60718
Fingerprint: 1111 2222 3333 4444 5555 6666 7777 8888 A1B2 C3D4
User IDs: Ada Lovelace <[email protected]>
Subkeys: 1 (ECDH encryption subkey)
When to use this tool
Before encrypting a message or verifying a signature you should confirm the fingerprint of the public key you are using matches what the owner published — on their website, in a signed email header, or on a keyserver. A single transposed character in the fingerprint is enough to send an encrypted message to the wrong key. This inspector makes that comparison quick without installing GPG or any software.
It is also useful when:
- You receive an exported key file and want to confirm which algorithm and identity it carries before importing it.
- You are debugging OpenPGP email in a mail client and want to see which subkey is in the signing or encryption packet.
- You are auditing keys generated by a library or service to check that the algorithm and key size match your policy (for example, verifying that a provisioned key uses Ed25519 and not a weaker RSA-1024).
Common algorithms you will encounter
| Algorithm byte | Name | Common use |
|---|---|---|
| 1 | RSA | Legacy sign and encrypt |
| 17 | DSA | Legacy signing only |
| 16 | ElGamal | Legacy encryption only |
| 18 | ECDH | Modern encryption subkeys |
| 19 | ECDSA | Modern signing |
| 22 | EdDSA (Ed25519) | Modern sign — compact and fast |
Notes
Fingerprints are computed with the browser’s Web Crypto SHA-1, the standard hash for v4 OpenPGP fingerprints. Everything runs locally, so even a private-key block stays on your device. Packet parsing supports both the old and new length formats; truncated or corrupt armor is reported rather than guessed. Legacy v3 keys use an MD5 fingerprint scheme not implemented here, so only their basic fields are shown.