gpg --check-sigs should indicate if a signature is made by a revoked/compromised key

Daniel Kahn Gillmor dkg at
Wed Feb 9 22:46:38 CET 2011

On 02/09/2011 03:27 PM, Grant Olson wrote:
> The man page does say that this is intentionally not done for
> performance reasons:
> --check-sigs
>        Same as --list-sigs, but the signatures are verified.  Note that
>        for performance reasons the revocation status of a  signing  key
>        is not shown.  This command has the same effect as using --list-
>        keys with --with-sig-check.

ah, thanks for helping me RTFM :)  sorry i missed that.  is the same
thing true about key expiry?

> But shouldn't a user let the trust calculations do their magic and break
> the WoT to Bob's key once Alice's key has been revoked?  Before the key
> was valid because Alice had full trust, now it's unvalidated because
> Alice's key is revoked.

yes, it would be good if people did that.

> It seems like this attack only works if you ignore the WoT and
> explicitly start signing keys X-degrees-of-separation away without
> proper verification.  (Not that I'm saying I can't conceive of real
> people doing this.)

yeah, i think the problem is that people don't think about these
different ways that manual checking can fail.  By not reporting key
expirations, --check-sigs puts the extra burden on the user -- this
might be a performance hit, but it's way more of a performance hit if
the user then has to go and manually look up each key, no?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110209/eb325551/attachment.pgp>

More information about the Gnupg-users mailing list