btw, there is strange behaviour with colliding gpg key IDs. the first one totally shadows the second one, which might potentially be exploitable. a possible scenario might be to trick the user to import the forged key ID first. possibly this may add forged subkeys, not quite sure.