Is it possible to sign a key again after revoking a signature?
dshaw at jabberwocky.com
Sat Aug 3 04:48:12 CEST 2013
On Aug 2, 2013, at 1:17 AM, Philip Jägenstedt <philip at foolip.org> wrote:
> Hi all,
> I'm new to GnuPG and have probably been a little too ambitious for my
> own good. I originally signed key AB4DFBA4 at level 3 after a meetup,
> but was later paranoid that I was too lax and wanted to resign it at
> level 2, but did the resigning (by deleting the first signature locally)
> and revoking in the wrong order, and left my signature simply revoked.
> After some tinkering I arrived at
> <http://foolip.org/2013/08/02/signing-policy/> and now want to sign the
> key again at level 3, but want to make sure I don't make a mess of it
> again. The problem:
> When I try to sign the key using gpg --edit-key, I'm told that (twice)
> that the key "was already signed by key 9DC6C210" and that there's
> "Nothing to sign with key 9DC6C210."
> The first time I bypassed this didn't turn out great, so can someone
> confirm to me that my (3) existing signatures locally, signing again and
> then syncing with the keyserver will leave this is in a state where my
> signature will be considered valid, in spite of an earlier revoke on the
> same key?
Yes. So long as the date on the most recent signature is after the date of the revocation, the signature will take effect.
Leaving aside a bunch of more complex cases like non-revocable signatures, and signatures with expired expiration dates for now, in the simple case, the algorithm used for deciding if a signature is valid is to find the latest signature from a given key. If that signature is a revocation, then it's considered revoked. If the latest signature isn't a revocation, that signature takes effect.
An easy way to see what GnuPG considers a valid signature is to run "clean" on the key from the --edit-key menu. GnuPG will strip off everything that it isn't using for trust calculations (so, revoked signatures are removed, runs of multiple signatures are collapsed down to the most recent, and so on).
More information about the Gnupg-users