Certification signatures on subkeys

Colin Watson cjwatson at debian.org
Wed Jan 30 22:40:50 CET 2008

On Wed, Jan 30, 2008 at 01:46:10PM -0500, David Shaw wrote:
> On Wed, Jan 30, 2008 at 10:44:26AM -0500, Mihai Ibanescu wrote:
> > I noticed something strange on a key I imported:
> > 
> > http://pool.sks-keyservers.net:11371/pks/lookup?search=0x10FA4CD1&op=vindex

This is my key.

> > As you can see, the subkey has certification (type 0x10-0x13) signatures on
> > its subkey.
> > 
> > At least the way I read RFC4880, the only types of signatures that should be
> > present on a subkey are key binding or revocation signatures.
> That is correct.
> The key is a little bit mangled.  GPG ignores 0x10-0x13 signatures on
> subkeys, as they are not allowed there.

I tried to get rid of them with 'gpg --edit-key' (which automatically
moved the signatures to a UID on the primary key), but --send-keys and
--recv-keys caused them to be added right back. Repeating this procedure
moved the signatures again so that the UID in question now has two
copies of each of these signatures at the end of its signature list.

In other words, it looks like any time I go through an --edit-key /
--send-keys / --recv-keys cycle (however extended), I'm going to grow
six new signatures on my key. Could GnuPG be fixed to check for
duplicates before it moves signatures? The delsig UI is going to be
extremely tedious for getting rid of these and of course won't affect
the keyservers.


Colin Watson                                       [cjwatson at debian.org]

More information about the Gnupg-devel mailing list