[PATCH] gpg: Exclude revoked UTKs from the key validation process.
Glop
glopglop at riseup.net
Tue Jun 23 17:33:33 CEST 2026
Hello,
Thank you for taking the time to check and to reply!
Indeed, you're right, I tried reproducing this issue again,
but I couldn't either. And I cannot for the life of me remember
what I did differently or what I missed the last time to think
there was a bug there :/
My apologies for the false report and for the noise here.
Glop
Philip:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> thank you for the report.
>
> On Sun, 7 Jun 2026 18:36:53 +0200
> Glop via Gnupg-devel <gnupg-devel at gnupg.org> wrote:
>
> > In order to reproduce this:
> > 1. Generate a new public/secret key pair (say, MyKey).
> > 2. Import a new public key in the keyring (say, OtherKey).
> > 3. Sign OtherKey using MyKey.
> > 4. Check that OtherKey has now `full` validity.
> > 5. Revoke MyKey.
> > 6. Run `gpg --check-trustdb` to forcefully update the trust DB.
> > 7. Check the validity of OtherKey: it still shows `full`, while
> > it should in fact be `unknown`, since MyKey's signature should
> > not be trusted anymore.
> >
> > I tried this on the GnuPG 2.4 and 2.5 branches, and both are impacted.
>
> I could not reproduce this with GnuPG 2.4.9 and 2.5.20.
> After Step 6 `gpg --check-trustdb` the formerly "[ full ]" trusted
> key is shown with "[ unknown]" trust.
> In your test, was the 'OtherKey' maybe signed by any other keys than
> 'MyKey'?
>
> Philip
> -----BEGIN PGP SIGNATURE-----
>
> iJEEARYKADkWIQR0sOOYYQjr3oh+QUt7hfBywO1/7gUCai/sjRsUgAAAAAAEAA5t
> YW51MiwyLjUrMS4xMiwyLDIACgkQe4XwcsDtf+4dhAEAjYb4ooEWttws+l6Vm5Ow
> PFrXaxMp8Td1TMwlD0tVfx0A/0xHWtFrDY+Srov2xJwT2AohXJwL2Ca+ABK+qBoO
> IC4K
> =XtYK
> -----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list