clean sigs

David Shaw dshaw at
Fri Sep 9 16:46:26 CEST 2005

On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote:
> Am 8 Sep 2005 um 20:00 hat David Shaw geschrieben:
> > Yes, I see what happened now.  It's just a misunderstanding.  "clean"
> > can't work unless you have the key that issued the signature that you
> > want cleaned (so it can know which signatures to remove).  In your
> > case, you need to fetch key CA57AD7C (the PGP GD key).  Once you have
> > that key, GnuPG can remove signatures that it has issued.
> I can confirm, that 'clean' worked as you said, when I first fetched 
> the keys for the obsolete sigs.


> But why is it nescessary to fetch the key first? When there is a new, 
> functional and valid signature from key 12345678 on a key, isn't it 
> obvious from the originally 16 character keyID, that they were issued 
> from the same key, whether I have it in my keyring or not?
> Couldn't gpg delete the old obsolete signatures without the signing 
> key itself?

Unfortunately not, because without the signing key, gpg can't tell if
a signature is valid or not.  If there is no way to tell if a
signature is valid then the wrong thing might happen in cleaning.

Here's an example:

signature 1 from key 12345678 is dated January 1, 2000.
signature 2 from key 12345678 is dated January 1, 2001.

It would seem obvious that signature 1 should be removed... but in
fact, signature 1 is valid, and signature 2 is a forgery.  If gpg
removes signature 1, then the forger who created signature 2
effectively "revoked" signature 1.  Only if the signing key 12345678
is present can gpg tell which is the real signature.

There is perhaps an argument to be made for a "super clean" that does
clean and also removes any signature where the signing key is not
present (in fact, an early version of clean did that), but that's a
different thing than clean.


More information about the Gnupg-users mailing list