GnuPG and the debian-archive-keyring

Peter Lebbing peter at
Sun Jan 31 19:13:38 CET 2016

On 31/01/16 16:07, stebe at wrote:
> Hi,
> recently, I refreshed some keys of my GnuPG public keyring, did a check
> and learned that 
> 1) the RSA key 46925553 Debian Archive Automatic Signing Key (7.0/wheezy)
> <ftpmaster at> has been revoked [output translated into English in
> square brackets]. 

I see this more often. This seems like a suboptimal way to communicate on an
English list.

Presuming you have the environment variable LANG=de_DE.UTF-8 set, you could
invoke gpg2 as follows:

$ LANG=C.UTF-8 gpg2 --edit-key 0x46925553

And it will communicate with you in the standard C locale, which will have
English language.

My l10n-foo is not up to snuff, so I might have details wrong. The funny thing
is, if you specify nonsense it will fall back to the C locale, AFAIK, so I might
actually be specifying nonsense, but I think I'm doing it right. It might be
that LANG=C.UTF-8 is a dumb way to say LANG=C .

If you want to override any more complex locale settings, you could do:

$ LC_ALL=C.UTF-8 gpg2 ...

or perhaps

$ LC_ALL=C gpg2 ...

But to get back to your remark:

I think you interpreted it wrong. Primary key 46925553 revoked an encryption
subkey ADD6B7E2. "Der folgende Schlüssel"! And then comes ADD6B7E2.

I don't know if there is an option to look at revocation reasons... which seems
a rather big lack in my knowledge, how did this come about? Anyway, apart from
my frustrations, you can actually look at it:

> $ gpg2 --export 0x46925553|gpg2 --list-packets  
> # off=0 ctb=99 tag=6 hlen=3 plen=525
> :public key packet:
>         version 4, algo 1, created 1335553717, expires 0
>         pkey[0]: [4096 bits]
>         pkey[1]: [17 bits]
>         keyid: 8B48AD6246925553
> [...]
> # off=11947 ctb=b9 tag=14 hlen=3 plen=525
> :public sub key packet:
>         version 4, algo 1, created 1335553717, expires 0
>         pkey[0]: [4096 bits]
>         pkey[1]: [17 bits]
>         keyid: 85215E51ADD6B7E2
> [...]
> # off=13027 ctb=89 tag=2 hlen=3 plen=630
> :signature packet: algo 1, keyid 8B48AD6246925553
>         version 4, created 1395098327, md5len 0, sigclass 0x28
>         digest algo 8, begin of digest 5c 81
>         hashed subpkt 2 len 4 (sig created 2014-03-17)
>         hashed subpkt 29 len 88 (revocation reason 0x03 (This key is used for signing only. The encryption subkey was never intended to be used.))
>         subpkt 16 len 8 (issuer key ID 8B48AD6246925553)
>         data: [4096 bits]

So it was a simple mistake: they added an encryption subkey. To keep
debian-archive-keyring clean, they don't include it there, but keyservers are
like elephants and never forget.

> 2) Moreover, I learned that the RSA key 2B90D010 Debian Archive Automatic
> Signing Key (8/jessie) <ftpmaster at> may (may?) have been revoked
> by, well, I am not sure by which key, as gpg's output is as follows:
> gpg2 --edit-key 0x2B90D010
> Dieser Schlüssel könnte durch RSA mit Schlüssel CA1CF964 [?]  widerrufen
> worden sein
> [This key may have been revoked by RSA key CA1CF964 [?]]
> Dieser Schlüssel könnte durch RSA mit Schlüssel B12525C4 [?]  widerrufen
> worden sein
> Dieser Schlüssel könnte durch RSA mit Schlüssel 15B0FD82 [?]  widerrufen
> worden sein

I suppose you don't have those keys. Neither did I, and that was the message I
got. I thought that this would have been due to not having those keys. After
all, how could you validate a revocation without the key that made that
revocation signature? But even with those keys, and even with them made fully
valid by signatures on those keys, it will still say this:

> $ gpg2 --recv-keys CA1CF964 B12525C4 15B0FD82
> [...]
> $ gpg2 --edit-key 0x2B90D010
> gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> This key may be revoked by RSA key CA1CF964 Ansgar Burchardt <ansgar at>
> This key may be revoked by RSA key B12525C4 Joerg Jaspert <joerg at>
> This key may be revoked by RSA key 15B0FD82 Mark Hymers <mhy at>

I think this is simply the message GnuPG gives for keys with designated
revokers. I don't know why it is saying that, somebody else will need to answer
that question.

Note that it says "may be revoked", which seems a different verb inflection than
"könnte widerrufen worden sein", which to me indeed sounds like "may have been
revoked". Is this a translation error and should it have been "kann widerrufen
werden" or something like that? I have to admit my grasp of German is mostly
passive: I can read it slowly, I can follow it if people articulate well, but
actively producing German is mainly good for laughs.

> What kind of ambiguous output is "may" and "?" I hold gpg to be a program
> that would not be vague, and maybe it isn't, and it's just me who does not
> understand. But what on earth might be the reason for giving an output
> like that? What does it mean? How can I check further if it actually has
> been revoked?

I'd like to know that as well!


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list