lsign and sign

Sam Pablo Kuper sampablokuper at riseup.net
Thu Feb 4 16:07:03 CET 2016


On Sun, 4 Mar 2001, Werner Koch <wk at gnupg.org> wrote:
> On Sun, 4 Mar 2001, Stefan Bellon wrote:
>> I've a short question concerning signing and lsigning. If you lsign a
>> key and afterwards (some time later) decide you want to export it and
>> therefore sign it, does the lsignature gets marked exportable or is a
>> new signature created?
>
> Because that flag resides in the non hashed are, it is possible to
> change it without creating a new signature.  However there is no
> code for this.

(See
https://lists.gnupg.org/pipermail/gnupg-users/2001-March/007884.html )

Has this changed since 2001?

I like to use cert-levels[1] to record how carefully I have checked keys
that I wish to sign.

In cases where the signee would prefer me not to publicly reveal
information about how carefully I have checked their key[2], I would
like to accommodate their wishes by signing with cert-level 0 but still
locally signing with the level appropriate to how thoroughly I have
checked their key, so that I have a signed record of this for myself, in
my keyring.

However, Neither gpg nor gpg2 seem to let me do this. If I `sign`,
regardless of cert-level, and then try to `lsign`, then I get a message
along the lines:

> "User Name <user.email>" was already signed by key DEADBEEF
> Nothing to sign with key DEADBEEF

Likewise, if I instead reverse the order and `lsign` first, then when I
run the `sign` command, I get:

> Your current signature on "User Name <user.email>"
> is a local signature.
> Do you want to promote it to a full exportable signature? (y/N) N
> "User Name <user.email>" was already signed by key DEADBEEF
> Nothing to sign with key DEADBEEF

Either way, GnuPG stymies me in my desire to `sign` and `lsign` the same
UID with different values.

It would be nice if GnuPG offered a way to `sign` and `lsign` with
different values, to handle the use case I have presented.

Please could you let me know if it already does, and I have missed this
feature somehow, or alternatively whether this feature is planned for a
future release?

Many thanks,

- spk


[1] I have my own set of key-signing principles, which at some point I
will probably post online. Based upon observation of other GnuPG users'
habits, many do not use cert-levels. Of those who do, my level 1 is
probably equivalent to most people's level 2; my level 2 probably
equivalent to most people's level 3, and my level 3 is more extensive
than my level 2.

[2] E.g. as per https://www.debian-administration.org/users/dkg/weblog/98

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160204/fa2cc277/attachment.sig>


More information about the Gnupg-users mailing list