[OT?]: Keyserver / Subkeys / replicating selfsigs

David Shaw dshaw at jabberwocky.com
Mon May 10 16:52:48 CEST 2004

On Mon, May 10, 2004 at 11:16:49AM +0200, Sascha Lüdecke wrote:
> Hi all!
> After some keysigning I was notified that my key on wwwkeys.pgp.net
> is unuseable.   After taking a closer look there are strange
> effects.  This is my key:
> pub  1024D/CC611EE6 2000-01-26 Sascha Luedecke (private) <sascha at meta-x.de>
> uid                            Moxon <moxon at meta-x.de>
> sub  2048g/85D3C1A7 2000-01-26 [expires: 2003-01-25]
> sub  2048g/BC8DCB23 2003-04-04 [expires: 2006-04-03]
> sub  1024D/5240B9BF 2003-04-04 [expires: 2006-04-03]
> 1. Problem: uploading to the keyserver
> ======================================
> When I export my key to the hkp://wwwkeys.pgp.net keyserver:
> a)  gnupg doesn't give me an error message
>     gpg --verbose --send-key cc611ee6
>     The key is silently accepted but the new subkeys are _not_ listed
>     on the keyserver.  I tried this at least three times (giving it a
>     night to update its databse) with no success (but other effects,
>     see blow).
>     Maybe GnuPG should give some error message (if hkp tells it about
>     errors).
> b)  parts of the key get rejected.  When submitting through the
>     webinterface, the result is:
>     Key block in add request contained no new
>     keys, userid's, or signatures.
>     Your key block contained 5 format errors,
>     which were treated as if the erroneous elements
>     hadn't been part of your submission.
>     The last error was on key 0x037aaac0:
>     Key block corrupt: more than one signature on subkey
>     Aha.  gpg tells me that (gpg --export --armor cc611ee6 | gpg --verbose -)
>     pub  1024D/CC611EE6 2000-01-26 Sascha Luedecke (private) <sascha at meta-x.de>
>     [...]
>     uid                            Moxon <moxon at meta-x.de>
>     [...]
>     sub  2048g/85D3C1A7 2000-01-26  [expires: 2003-01-25]
>     sig        CC611EE6 2003-10-06   [selfsig]
>     sig        CC611EE6 2000-01-26   [keybind]
>     sub  2048g/BC8DCB23 2003-04-04  [expires: 2006-04-03]
>     sig        CC611EE6 2003-04-04   [keybind]
>     sub  1024D/5240B9BF 2003-04-04  [expires: 2006-04-03]
>     sig        CC611EE6 2003-04-04   [keybind]
>     Whats going wrong here?

The keyserver is broken.  Most of them are.  Very few are fixed.

> 2. Problem:  replicating selfsigs
> =================================
> I "gpg --recv-key" several times since I have been on a keysigning
> party this weekend.  Each time I get some new signatures which is
> great (thanks if anyone of them is listening).   But:  each time I
> --refresh-keys or --recv-key the list of selfsigs on my key grows,
> currently (other sigs removed):

(snip a long list of replicated selfsigs)

Same reason as above.  The keyserver is broken.

> a)  what can I do to get rid of this selfsigs
> b)  how can I stop the keyserver or gnupg from replicating this sigs?

You can't win.  Give up.

I don't mean this sarcastically, and I say this as someone who has
spent quite literally years fighting the keyserver battles.  You can't
win, and it's not worth trying any longer.  Too many servers are
broken in all sorts of ways, and the precious few servers that aren't
hopelessly broken still exchange data with the broken ones - thus
faithfully replicating the corrupted data even to non-broken servers.

> PS: If you want my key, get it from http://meta-x.de/openpgp.asc,
>     _not_ from the keyserver!!

As things stand today, this is one of the few workable solutions.
Without a massive re-thinking of how keyservers are operated, the game
is long since lost.

GnuPG 1.4 will have a way to tag keys with your favorite web server,
and --refresh-keys will fetch it from there.


More information about the Gnupg-users mailing list