clean sigs

Dirk Traulsen dirk.traulsen at
Sat Sep 10 14:21:24 CEST 2005

Am 9 Sep 2005 um 10:46 hat David Shaw geschrieben:
> Unfortunately not, because without the signing key, gpg can't tell if
> a signature is valid or not.  If there is no way to tell if a
> signature is valid then the wrong thing might happen in cleaning.
> Here's an example:
> signature 1 from key 12345678 is dated January 1, 2000.
> signature 2 from key 12345678 is dated January 1, 2001.
> It would seem obvious that signature 1 should be removed... but in
> fact, signature 1 is valid, and signature 2 is a forgery.  If gpg
> removes signature 1, then the forger who created signature 2
> effectively "revoked" signature 1.  Only if the signing key 12345678
> is present can gpg tell which is the real signature.

Ok, now I understand. Maybe it would be helpful to write it in the 
man page, that you need the key for cleaning. 

> There is perhaps an argument to be made for a "super clean" that does
> clean and also removes any signature where the signing key is not
> present (in fact, an early version of clean did that), but that's a
> different thing than clean.

I think, it would be a good thing to have, especially if you have  
limited space. The name is funny too.

Thank you for your help


More information about the Gnupg-users mailing list