Updating signature cert-level

David Shaw dshaw at jabberwocky.com
Tue Apr 26 22:49:43 CEST 2011


On Apr 26, 2011, at 4:12 PM, Doug Barton wrote:

> On 04/26/2011 13:06, Aaron Toponce wrote:
>> I signed a key, of which defaulted to cert-level 0 (I will not answer),
>> which must be the default. When signing the key, GunPG didn't ask me about
>> any checking. However, I would like to update the cert-level to 2 (I have
>> done casual checking), but I'm unaware of how to do this. Do I need to
>> revoke my signature, and re-sign, seeing as though GnuPG won't let my sign
>> the key if I've already signed it?
> 
> I think you can delsig, then sign again. The keyservers would have both, but hopefully client software (like gpg) would be smart enough to use the more recent?

Yes.

> I would imagine that revoking a signature and then signing again would make it worse instead of better?

Not really worse or better in practice.  The semantics are slightly different for the two cases, but the end result is the same.  In the revocation case, you have sig1+revoke1+sig2, so the end result is to use sig2.  In the superseding case, you have sig1+sig2, and the end result is also to use sig2.

David




More information about the Gnupg-users mailing list