clean sigs

David Shaw dshaw at jabberwocky.com
Fri Sep 9 02:00:25 CEST 2005


On Fri, Sep 09, 2005 at 12:33:47AM +0200, Dirk Traulsen wrote:
> Am 8 Sep 2005 um 16:00 hat David Shaw geschrieben:
> 
> > I'm trying, but I still can't duplicate the problem.  Can you put
> > together a simple keyring and simple gpg.conf file that still shows
> > the problem?
> 
> I did what you asked me to do and now I'm completely confused!
> 
> First I deleted my gpg.conf, the keyrings and the trustdb.
> 
> Then I fetched the key 08B0A90B from the keyserver 
> 'random.sks.keyserver.penguin.de' and it was the same as yesterday: 
> 47 sigs with a lot of old expired sigs from the same key (see output1 
> below) and 'clean' later removed just one self sig and all the old 
> ones were still there. As 'clean' did the same as yesterday, it had 
> nothing to do with my gpg.conf, keyrings or trustdb.
> 
> Now I have three additional problems:
> 
> 1. The same key from the same keyserver just one day later, but if 
> you compare it with my output in my mail from yesterday, you see that 
> the sigs are in a completely different order! Why? Aren't they always 
> in the same order in the key? 

No, they're not.  The only requirement is that the signatures remain
after the appropriate user ID.  Within each user ID block, though, you
can rearrange signatures without affecting anything so most programs
don't give any particular effort to keeping them in order.

> 2. There is a line after the '--recv-key' which I don't understand:
> 'gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FA10 
> gefunden'
> (my english translation: gpg: no ultimately trusted key 0022FA10 
> found)
> As you can see in the output, I didn't ask for this key. There are no 
> keyrings or trustdb, as I deleted them before. I don't know this key 
> and I couldn't find it at the keyservers.
> Why did gpg try to find this key?

GnuPG will look for your own key.  Did you generate a key with that
key ID?

> 3. Because now I was irritated, I did the same again with a different 
> keyserver 'keyserver.kjsl.com' and I got a completely different 
> result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, 
> but only 15 sigs (see below output2). There was only a double self 
> sig, which 'clean' removed later. How can this be, if the keyservers 
> are synchronized?

Looks like they're not all that well synchronized :)

> David, I really hope, you can reproduce it now or at least get an 
> idea what's going on.

Yes, I see what happened now.  It's just a misunderstanding.  "clean"
can't work unless you have the key that issued the signature that you
want cleaned (so it can know which signatures to remove).  In your
case, you need to fetch key CA57AD7C (the PGP GD key).  Once you have
that key, GnuPG can remove signatures that it has issued.

David



More information about the Gnupg-users mailing list