Any word on the bug?

Wed Jun 25 07:31:02 CEST 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 24, 2003 at 11:10:45PM -0500, Robert J. Hansen wrote:
> >Which bug is this?  If you are referring to the validity information
> >being strange in --list-secret-keys listings, then the answer is yes.
> >You may not like the result though - the fix is to not show validity
> >in secret key listings.
> 
> That'd be the one.  The problem is it's manifesting in more ways than 
> just that now.  For instance (all active email addies obscured with 
> leetspeak and/or pork products):

This is not the same problem.  The original problem was that misleading
validity information was being shown in secret key listings.  This is
a straightforward "public key doesn't match secret key" problem.

> =====
> [rjh at numbers rjh]$ gpg --list-key rjh at HORMEL.SPAM.sixdemonbag.org
> pub  1024D/2CBE2E25 2002-05-02 Robert J. Hansen <rjh at s1xd3m0nb4g.org>
> uid                            Robert J. Hansen <c0rt4n4 at earthlink.net>
> sub  3072g/7926E4DD 2002-05-02
> =====
> 
> Okay, so I've got a valid primary UID of rjh at s1xd3m0nb4g.org.  Now let's 
> try to sign using it:
> 
> =====
> [rjh at numbers rjh]$ gpg -u rjh at s1xd3m0nb4g.org --sign foo.txt
> gpg: skipped `rjh at s1xd3m0nb4g.org': secret key not available
> gpg: signing failed: secret key not available
> =====
> 
> Hey, that ain't right.  Let's take a look at what UIDs are attached to 
> the secret key.
> 
> =====
> [rjh at numbers rjh]$ gpg --list-secret-keys
> /home/rjh/.gnupg/secring.gpg
> ----------------------------
> sec  1024D/2CBE2E25 2002-05-02 Robert J. Hansen <rjhansen at inav.net>
> ssb  3072g/7926E4DD 2002-05-02
> =====
> 
> 
> ... Apparently, GnuPG doesn't recognize that (a) my inav.net UID is 
> revoked and should no longer be used, or (b) that I have a 
> s1xd3m0nb4g.org email address which is now my primary UID.

With regards to (a), this is not how user ID selection works.  It
doesn't matter if a given user ID is revoked or expired since this is
only a tag to identify the key and a validity relationship.  Obviously
there is no validity relationship with a revoked user ID, but you have
ultimate validity (it's your own key).  So this is your key, and
(presumably!) your revocation, and it isn't GnuPG's business to tell
you you can't use it any longer.  Someone ELSE using your key
(i.e. via -r) is a different story: they'll be shown the "untrusted
key" warning since by definition, there is no trust carried on a
revoked user ID.

With regards to (b), you do have the new primary user ID on your
public key.  Since you don't have it on your secret key, it isn't
going to work via -u.  I'm not quite sure how you got to where you are
since GnuPG always adds new user IDs to both the public and secret
keys.  Do you have more than one GnuPG installation that you use?
They're out of sync.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE++SW94mZch0nhy8kRAopYAJ0e0jjzHJApq4VVFY7cAtMqhBIJEgCdFO1G
sta+v+QsiKUVzGmZeEp3jg8=
=qg4v
-----END PGP SIGNATURE-----