Revoked keys and past signatures

Kristian Fiskerstrand kristian.fiskerstrand at
Tue Feb 10 12:52:41 CET 2015

Hash: SHA512

On 02/10/2015 12:28 PM, Peter Lebbing wrote:
> On 09/02/15 20:34, Daniel Kahn Gillmor wrote:
>> the *date* of your "key was superceded" revocation is relevant, 
>> though. Any certifications that claim to have happened after the
>> date of the revocation *should* be considered invalid, whereas
>> revocations that happen before that date (but after the key
>> creation date) should retain their validity.


> That's twenty minutes later. I don't see a reason for GnuPG to
> round to full days when it has resolution down to the second for
> the times the signatures (data, revocation) are made... is there?


> The RFC clearly states "key superseded" doesn't invalidate old
> signatures:

And it doesn't

>> However, if it was merely superseded or retired, old signatures
>> are still valid.
> But using GnuPG 2.0.26 on Debian jessie/testing, package 2.0.26-4,
> I can reproduce signatures becoming invalid... what's going on?
> Does GnuPG not implement the RFC here or is it a bug?

No, the signature is still valid:

> $ gpg2 --verify test.gpg gpg: Signature made Tue 10 Feb 2015
> 11:53:47 CET using RSA key ID
> gpg: Good signature from "Testkey 3" [unknown]

> gpg: WARNING: This key has been revoked by its owner! gpg:
> This could mean that the signature is forged. gpg: reason for
> revocation: Key is superseded gpg: revocation comment: Test
> revocation gpg: WARNING: This key is not certified with a trusted
> signature! gpg:          There is no indication that the signature
> belongs to the owner. Primary key fingerprint: EFF1 596F 1A68 F708
> 8699  579D 0815 4E55
B2F1 C0D8

... However you have an unknown situation wrt the validity of the key
having issued the signature, you get the additional information and
you need to make your own considerations as to the validity of the key
at the present stage
- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Credo quia absurdum
I believe it because it is absurd


More information about the Gnupg-users mailing list