signatures from revoked key, trusted?

C. Rossberg cr at
Fri Sep 2 17:52:52 CEST 2016

Hi Gabriel,

> I have just noticed I had signed his key with my old key, which is now
> revoked in my keyring. So why does GnuPG consider the signature
> correct?

'Correctness' refers to the result of the process of 'verifying a
signature' - this has nothing to do with 'trusting a key'.

Correctness and trust belong to different realms.
You need to separate both concepts.

gpg(1) labels a signature as 'good' in order to attest that the file it
just verified 

- (a) has indeed been signed by a specific private key(!) and
- (b) that this file hasn't been modified in any way on it's way to you.

gpg(1) does this by 'relating' your friend's public key(!) to this key's

(More information, esp. last paragraph.

'trust' - on the other hand - describes how thorough you have checked
the relation of ownership(!) between the key and the one who claims to own

(More Information

If Person_X claims to own Some_PubKey and you have checked successfully,
that Person_X really does own it, you may start to give Person_X's key a
trust-value of 'enough'. (Now Some_PubKey appears to be Person_X's key.)

To wrap it up: 'verifying' is 'checking a checksum' - and a particular
checksum may be 'correct' even if you don't trust the key.

Hope that solves at least one of your questions.



More information about the Gnupg-users mailing list