GnuPG and the debian-archive-keyring

stebe at stebe at
Sun Jan 31 23:55:06 CET 2016


> Peter Lebbing <peter at> hat am 31. Januar 2016 um 19:13
> geschrieben:

> On 31/01/16 16:07, stebe at wrote:
>> Hi,
>> recently, I refreshed some keys of my GnuPG public keyring, did a check
>> and learned that 
>> 1) the RSA key 46925553 Debian Archive Automatic Signing Key
>> (7.0/wheezy)
>> <ftpmaster at> has been revoked [output translated into English
>> in
>> square brackets]. 

> I see this more often. This seems like a suboptimal way to communicate
> on an
> English list.

Well, maybe you're right. I didn't think of changing it.


> If you want to override any more complex locale settings, you could do:
> $ LC_ALL=C.UTF-8 gpg2 ...
> or perhaps
> $ LC_ALL=C gpg2 ...

I have a system pretty soundly localized, but those two commands worked,
thanks. Simply putting LANG=C didn't work.

> But to get back to your remark:
> I think you interpreted it wrong. Primary key 46925553 revoked an
> encryption
> subkey ADD6B7E2. "Der folgende Schlüssel"! And then comes ADD6B7E2.

Indeed. I got it wrong. See the message in reply to Werner.

> I don't know if there is an option to look at revocation reasons...
> which seems
> a rather big lack in my knowledge, how did this come about? Anyway,
> apart from
> my frustrations, you can actually look at it:

> $ gpg2 --export 0x46925553|gpg2 --list-packets  
> # off=0 ctb=99 tag=6 hlen=3 plen=525
> So it was a simple mistake: they added an encryption subkey. To keep
> debian-archive-keyring clean, they don't include it there, but
> keyservers are
> like elephants and never forget.

OK, thanks, you have opened my eyes. :-) I didn't know this particular
command pipe. My apologies to all Debian people.

>> 2) Moreover, I learned that the RSA key 2B90D010 Debian Archive
>> Automatic
>> Signing Key (8/jessie) <ftpmaster at> may (may?) have been
>> revoked
>> by, well, I am not sure by which key, as gpg's output is as follows:
>> gpg2 --edit-key 0x2B90D010
>> Dieser Schlüssel könnte durch RSA mit Schlüssel CA1CF964 [?]
>>  widerrufen
>> worden sein
>> [This key may have been revoked by RSA key CA1CF964 [?]]
>> Dieser Schlüssel könnte durch RSA mit Schlüssel B12525C4 [?]
>>  widerrufen
>> worden sein
>> Dieser Schlüssel könnte durch RSA mit Schlüssel 15B0FD82 [?]
>>  widerrufen
>> worden sein

> I suppose you don't have those keys. Neither did I, and that was the
> message I
> got. I thought that this would have been due to not having those keys.
> After
> all, how could you validate a revocation without the key that made that
> revocation signature? But even with those keys, and even with them made
> fully
> valid by signatures on those keys, it will still say this:

In my case, the English output is as follows.

LC_ALL=C gpg2 --edit-key 0x2B90D010
This key may be revoked by RSA key CA1CF964 [?]
This key may be revoked by RSA key B12525C4 [?]
This key may be revoked by RSA key 15B0FD82 [?]
pub  4096R/2B90D010  created: 2014-11-21  expires: 2022-11-19  usage: SC  
                     trust: unknown       validity: unknown
[ unknown] (1). Debian Archive Automatic Signing Key (8/jessie)
<ftpmaster at>

Now I understand. The German translation is misleading and should be
improved. I'll file a bug report.
> Note that it says "may be revoked", which seems a different verb
> inflection than
> "könnte widerrufen worden sein", which to me indeed sounds like "may
> have been
> revoked". Is this a translation error and should it have been "kann
> widerrufen
> werden" or something like that? I have to admit my grasp of German is
> mostly
> passive: I can read it slowly, I can follow it if people articulate
> well, but
> actively producing German is mainly good for laughs.

You're right with your supposition. The German wording should positively
be changed. It makes people think that the action of revoking may have
already been carried out, whereas the English informs of the keys'
ability/capacity to revoke the key.

Thanks a lot.


More information about the Gnupg-users mailing list