Besides the lolz I was involved on an "identify thief" incident, somebody created a GPG key with the same short id as mine. It is important to mention that while short id is different the complete id(s) are different on both keys.

Gunnar Wolf, wrote in great detail about the issue http://gwolf.org/node/4070

And he even posted to LWN

Erico Zini created an utility to verify keys https://github.com/spanezz/verify-trust-paths

and the corresponding blog post http://www.enricozini.org/blog/2016/debian/verifying-gpg-keys

the TL;DR on what to do to avoid faling in this trap is this

  • Add keyid-format 0xlong to ~/.gnupg/gpg.conf so GPG will show you long IDs by default
  • If your scripts handle GPG IDs use long IDs, you can pass the options --keyid-format long or --keyid-format 0xlong, alternatively --with-colons will give you an output easily parseable by shell scripts, and long keyids!!!

I'm not adding much if you did read Gunnar's and Erico's blog, but I think is worth to repeat that valuable advice.

PS: I should have post about this long ago