Seeking clarification with a few GPG concepts

Peter Lebbing peter at digitalbrains.com
Wed Aug 13 14:22:29 CEST 2014


On 13/08/14 12:37, Hauke Laging wrote:
> Give it a try...

OK.

$ gpg2 --homedir gpgtest -k DCDFDFA4
pub   1024R/DCDFDFA4 2012-03-17 [expires: 2014-08-15]
uid       [  full  ] Test Teststra <test at work.invalid>
uid       [  full  ] Test Teststra (Koning van Wezel) <test at example.invalid>
sub   1024R/77A3395A 2012-03-17

Revoking the work UID...

~$ gpg2 --homedir gpgtest --list-options show-unusable-uids -k DCDFDFA4
pub   1024R/DCDFDFA4 2012-03-17 [expires: 2014-08-15]
uid       [  full  ] Test Teststra (Koning van Wezel) <test at example.invalid>
uid       [ revoked] Test Teststra <test at work.invalid>
sub   1024R/77A3395A 2012-03-17

Had to add a list-options flag to show it.

Re-adding the UID...

---------------------8<-------------->8---------------------
$ gpg2 --edit-key DCDFDFA4
[...]
gpg> adduid
[...]
Real name: Test Teststra
Email address: test at work.invalid
Comment:
You selected this USER-ID:
    "Test Teststra <test at work.invalid>"

Such a user ID already exists on this key!
Change (N)ame, (C)omment, (E)mail or (Q)uit? q
---------------------8<-------------->8---------------------

Okay, the UI doesn't let us do it that easily. Delete that old one.

---------------------8<-------------->8---------------------
gpg> uid 2
[...]
gpg> deluid
[...]
gpg> adduid
Real name: Test Teststra
Email address: test at work.invalid
Comment:
You selected this USER-ID:
    "Test Teststra <test at work.invalid>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
---------------------8<-------------->8---------------------

So far so good. I'm redistributing the key to my peer.

---------------------8<-------------->8---------------------
$ gpg2 --export DCDFDFA4|gpg2 --homedir gpgtest --import
gpg: key DCDFDFA4: "Test Teststra <test at work.invalid>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
$ gpg2 --homedir gpgtest --list-options show-unusable-uids -k DCDFDFA4
pub   1024R/DCDFDFA4 2012-03-17 [expires: 2014-08-15]
uid       [  full  ] Test Teststra <test at work.invalid>
uid       [  full  ] Test Teststra (Koning van Wezel) <test at example.invalid>
sub   1024R/77A3395A 2012-03-17
---------------------8<-------------->8---------------------

And look, it's back in action.

It is precisely as you said, GnuPG does allow reinstigating a revoked
UID. However, there is a slight hitch in the UI that means you can't do
it completely straight-forwardly. You need to delete the offending UID
before re-adding it, but other than that, it works, and the
certifications are even carried over.

> Not the last created but the last self-signed one (may differ e.g. after 
> expiration).

Ah, right, thanks for the correction!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list