dshaw at jabberwocky.com
Fri Sep 9 16:46:26 CEST 2005
On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote:
> Am 8 Sep 2005 um 20:00 hat David Shaw geschrieben:
> > Yes, I see what happened now. It's just a misunderstanding. "clean"
> > can't work unless you have the key that issued the signature that you
> > want cleaned (so it can know which signatures to remove). In your
> > case, you need to fetch key CA57AD7C (the PGP GD key). Once you have
> > that key, GnuPG can remove signatures that it has issued.
> I can confirm, that 'clean' worked as you said, when I first fetched
> the keys for the obsolete sigs.
> But why is it nescessary to fetch the key first? When there is a new,
> functional and valid signature from key 12345678 on a key, isn't it
> obvious from the originally 16 character keyID, that they were issued
> from the same key, whether I have it in my keyring or not?
> Couldn't gpg delete the old obsolete signatures without the signing
> key itself?
Unfortunately not, because without the signing key, gpg can't tell if
a signature is valid or not. If there is no way to tell if a
signature is valid then the wrong thing might happen in cleaning.
Here's an example:
signature 1 from key 12345678 is dated January 1, 2000.
signature 2 from key 12345678 is dated January 1, 2001.
It would seem obvious that signature 1 should be removed... but in
fact, signature 1 is valid, and signature 2 is a forgery. If gpg
removes signature 1, then the forger who created signature 2
effectively "revoked" signature 1. Only if the signing key 12345678
is present can gpg tell which is the real signature.
There is perhaps an argument to be made for a "super clean" that does
clean and also removes any signature where the signing key is not
present (in fact, an early version of clean did that), but that's a
different thing than clean.
More information about the Gnupg-users