signatures from revoked key, trusted?
mlisten at hammernoch.net
Fri Sep 2 21:39:34 CEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 02.09.16 11:13, Gabriel Philippe wrote:
> A friend sends me signed messages wich signature is said correct
> by GnuPG: "good signature from...".
"Good signature" _always_ means it is "good" in the cryptographical
technical sense: Your copy of the public key states that it comes from
the same source as the key owning entity. It does _not_ state that the
key is "valid" or that it belongs to the person stated by the user id
attached to the key.
> I have just noticed I had signed his key with my old key, which is
> now revoked in my keyring. So why does GnuPG consider the
> signature correct? I would expect that, since I have revoked my old
> key, all certifications done with this key should not be trusted
GnuPG issues a respective warning; a test by verifying an old signed
mail with an old revoked key yields:
! gpg: Signature made Thu Jun 12 22:35:47 2008 CEST using RSA key ID
! gpg: Good signature from <uid>
! gpg: WARNING: This key has been revoked by its owner!
! gpg: This could mean that the signature is forged.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users