signatures from revoked key, trusted?

Ludwig Hügelschäfer mlisten at hammernoch.net
Fri Sep 2 21:39:34 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02.09.16 11:13, Gabriel Philippe wrote:
> Hi,
> 
> A friend sends me signed messages wich signature is said correct
> by GnuPG: "good signature from...".

"Good signature" _always_ means it is "good" in the cryptographical
technical sense: Your copy of the public key states that it comes from
the same source as the key owning entity. It does _not_ state that the
key is "valid" or that it belongs to the person stated by the user id
attached to the key.

> I have just noticed I had signed his key with my old key, which is
>  now revoked in my keyring. So why does GnuPG consider the
> signature correct? I would expect that, since I have revoked my old
> key, all certifications done with this key should not be trusted
> anymore.

GnuPG issues a respective warning; a test by verifying an old signed
mail with an old revoked key yields:

! gpg: Signature made Thu Jun 12 22:35:47 2008 CEST using RSA key ID
! <keyId>
! gpg: Good signature from <uid>
! gpg: WARNING: This key has been revoked by its owner!
! gpg:          This could mean that the signature is forged.

Ludwig
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXydVkAAoJEDrb+m0Aoeb+bMEQAMvCJ5MtKLt+jT76itoXTjBi
oTjhQQmTUPA1mgf5vOvzb0U9EFr/opGmUIt+2A4Qdgj/lfNiP4lKHxMCNYzelioS
lnjfTH7CEP+SSVIPQyTZTy99g+M9/G6k6FqlF+pJlQFvKVkahfQopNlE1Dar50kM
ucgLIob3gAt6/l+e0FgRnd1Wsuso9ACE4ICKSoXJ53ehmMiFMsvG3JNlJma9Ltyi
Qc+qHIDXEupvAx1XOf+bk+lntTZWkOnxopLmY0r7gTe5jd+5tnX9q4iaNJnfF6iT
D0QkQd369ENDAgULzujJ4eGfHJj3PYtxynHOzJfsTxw9Mpv0ieRjbtd3TQaNYwYH
IjaIdfHrChcD5eN3fnVrp6VcjPsQxySEvGjv8kuLUJrvtsFuQuNvNDxFTbzuqAcU
OnFtNUyToqorMogKnFwRfZ8FQ+p/wOwHI2RYwtj/xSIEujxrvPfcRtI783HRlN4V
aahlj2lSBdgcKn5bAPxdCQZW+d8RmTns5pRzKmfSh7MxVHa8Vo7RjDIl4Fv46I5l
180BLW+b+GKJOxx4x+4etAH763lVf5E5zgV8BLGjQKQ7gwOVzUaEWjQevBFeMqLT
9ghXaki0xKohu2gXlZCfs9fNkpSbVzIWi4uVM8SvwVaWmgbdO9Ba57Yf5q2YvU1H
3c43F/3hG1vGma12aPq4
=13Ay
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list