invalid gpg key revocation
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 6 21:04:39 CET 2012
On 03/06/2012 01:36 PM, auto15963931 at hushmail.com wrote:
> Looking at this instruction, I think you assume that I have
> imported the revoked key onto my keyring. I have not done so. On
> my keyring is the valid key, which is not revoked. The revoked key
> appears to be on a keyserver. When I do a search and view the
> result online, I can see my key ID number and user ID plainly
> identifying this key as having now been revoked. I have not
> imported it.
So much mystery involved here! You're making everyone guess at the
situation by not identifying the key. I understand you might have
reasons for this caginess, but please realize that your reluctance to
spell out the details of the situation makes this process take much more
of your time and of the time of other people on this list.
You might not be aware that keyservers don't check the correctness of
any of the cryptographic material placed on them. So it's possible to
upload something that looks like a revocation certificate but would be
rejected by any reasonable OpenPGP client implementation, since it would
not validate.
> The really wierd part is that I never publicly put it
> on a server myself.
Anyone with possession of an OpenPGP certificate can upload it to the
public keyservers.
> I am reluctant
> to import the bad one because it might mess up the good one.
I understand your hesitation to import the revocation certificate to
your public keyring, though you can probably clean it up with some of
the subcommands of gpg --edit-key .
Alternately, you could create a new GNUPGHOME directory and work
temporarily from that.
e.g.:
mkdir -m 0700 ~/tmpgpg
GNUPGHOME=~/tmpgpg
export GNUPGHOME
... do your work here, you'll start with an empty keyring ...
rm -rf ~/tmpgpg
unset GNUPGHOME
> So, I
> am not sure how to look at the certificate with your command, which
> appears to require that I export it. Does it not?
No, you could also just fetch the key from the keyserver via http, and
feed it to gpg --list-packets directly. Here's me doing that with my
own key (you'd need to replace the long keyid with the keyid you care
about):
wget -O- \
'http://keys.gnupg.net/pks/lookup?op=get&search=0xCCD2ED94D21739E9'\
| gpg --list-packets \
| less
however, importing it into a gpg keyring is probably a better idea,
since it would let you verify whether the revocation certificate is valid.
Regards,
--dkg
More information about the Gnupg-users
mailing list