Bug with duplicate user IDs of different status

David Shaw dshaw at jabberwocky.com
Tue Feb 27 13:25:04 CET 2007

On Mon, Feb 26, 2007 at 08:25:34PM -0800, Robin H. Johnson wrote:
> On Mon, Feb 26, 2007 at 10:56:43PM -0500, David Shaw wrote:
> > On Sun, Feb 25, 2007 at 06:24:03PM -0800, Robin H. Johnson wrote:
> > > Instructions to reproduce:
> > > 1. create any key
> > > 2. gpg --edit-key ; adduid foo at bar ; save+quit
> > > 3. gpg --edit-key ; revuid foo at bar ; save+quit
> > > 4. gpg -v --list-keys foo at bar (shows the revoked uid)
> > > 5. gpg --edit-key ; adduid foo at bar
> > > 6. display will now show both foo at bar uids
> > > 7. save+quit
> > > 8. gpg --edit-key (now we get this message: "gpg: key 34884E85:
> > > duplicated user ID detected - merged")
> > > 9. 'list' shows only the revoked version of the foo at bar uid, and we
> > >    cannot select the new one to perform any operations on it.
> > 
> > There is a bug here, but this also needs a clarification.  In step 9,
> > it is proper that only one copy of the foo at bar uid is present and
> > there is no way to select one of the foo at bar user IDs: OpenPGP does
> > not have a real notion of multiple identical user IDs.  GnuPG, as you
> > noticed, collapses them together into one user ID that carries all of
> > the signatures (self-signatures, revocation signatures, etc) that were
> > on both original user IDs.
> Hmm, I'm wondering what the correct course of action is then.
> In my original case that I reduced to the above, I originally had an
> email address (rjohnsob at sfu.ca) from the university I attended, and revuid'd it
> after I graduated and the email address was recycled to another user, not
> dreaming that I'd be involved again with the university again (my departure was
> somewhat bitter). So for some time, that address was NOT a valid source for me,
> but now it is again.

That's fine.  The end result of the merge is that you have one user ID
with the collected self-signatures on them.  For example:

  foo at bar:
    signed  1/1/2007
    revoked 1/2/2007

  foo at bar:
    signed  1/10/2007

If that is collapsed then the result is:

  foo at bar:
    signed  1/1/2007
    revoked 1/2/2007
    signed  1/10/2007

Thus foo at bar is no longer revoked.  The most recent signature is the
one that applies in this case.

> > The bug is that this new, joined, user ID appears as revoked (you had
> > a 50% chance of that, as the user IDs are merged in order).  If you
> > exit the --edit-key menu, GnuPG will prompt you to save the modified
> > key (the dupe-elimination is the modification).  If you say yes and
> > then do the --edit-key again, you'll see the user ID isn't really
> > revoked.  GnuPG should reprocess the key after the user ID collapse so
> > the flags (revoked, expired, etc) are set properly.  I will make this
> > change.
> See the attached sigdata.txt file. It does show the old signatures under the
> old instance of the uid.

Did you run the key through a pass with --edit-key to allow the merge?


More information about the Gnupg-devel mailing list