GPGME python bindings query

Jacob Adams tookmund at
Sat Jul 14 00:00:07 CEST 2018

(Redirecting to -users since that seems more appropriate)

On 07/12/2018 10:42 PM, Ben McGinnes wrote:
> On Tue, Jul 10, 2018 at 01:01:10PM -0400, Jacob Adams wrote:
>> I would prefer to use the automatically generated certificate as it
>> also comes with some useful explanation text, but the problem I'm
>> having is that there is no way to trigger this generation from GPGME
>> and it appears to happen whenever you generate your first subkey (or
>> perhaps your first signing subkey, haven't dug that much into it).
> It's generated with the certification key and this comment indicates
> there may be a little misunderstanding about the revocation
> certificate.  It's used to revoke an entire key, including subkeys and
> it does this by the simple expedient of revoking the certification
> key.  Once the certification key is revoked, the certification
> signatures can't be validated without throwing the disabled key errors
> which prevent the subkeys from being used.
> So even if subkeys are added later, there are no additional revocation
> certificates generated for the subkeys.  Which is why you'll find .rev
> files in $GNUPGHOME/openpgp-revocs.d/ directory matching the
> fingerprint of the primary key, but nothing for the subkeys; while the
> $GNUPGHOME/private-keys-v1.d/ is populated with multiple .key files
> matching the keygrips for all the keys and subkeys generated.

Oh ok that makes a lot more sense now!
Most of what I know about GPG is just picked up from random Internet
tutorials of dubious quality so I end up with a very spotty
understanding of how all this works. Thank you for the clear overview.

>> and a random extra password prompt
> There are no random extra password prompts, they're all necessary for
> a secure system.

Sorry random was the wrong word here. I meant only that the generation
of this revocation certificate seems to happen later than I would
expect. (Actually I was entirely wrong here about the order of events
anyway, see below.)

>> for the revocation certificate that I can't control doesn't really
>> help there. If there's some way I could manually trigger this
>> process that would be great.
> It should have already occurred when the key was first generated.  The
> only time it needs to be done manually is when issuing a specific
> revocation certificate with a less generic revocation reason or if the
> key was generated with an older version of GPG that did not generate
> such a certificate by default.
When I don't generate my own revocation certificate, I get a second
password prompt when generating the first subkey. I had been assuming
that this was for the revocation certificate, but some testing confirms
that the certificate already exists before this. I'm still not sure why
I would be getting a second prompt however. Any ideas?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list