In short: The gpg version I had running back then still used sha1 has a default digest to generate the base signature attesting to the first subkey generated automatically during key generation. Like a good citizen, I changed the default digest algorithm to something strong, generated the remaining ...