Is replacing a revoked signature valid?

Michał Górny mgorny at
Fri Nov 1 19:50:13 CET 2019


Gentoo recently started signing UIDs on the keys of our developers.
As part of the system, we revoke signatures of developers who resign. 
However, some eventually return and if they return with the same key,
we have a problem.

When I try to sign the key (again), I get the following error:

"[redacted] <xxx at>" was already signed by key XXXX
Nothing to sign with key XXX
gpg: Key not changed so no update needed.

However, the original signature was revoked, so it's obviously no longer
valid.  Now, I am able to work around this by deleting the old
signatures from local copy of the key, and signing it afterwards.  After
refreshing to get the old signature back along with its revocation, GPG
seems to still consider the key valid (wrt new signature).

My question: is the end result correct?  That is, is it portable to have
two signatures made using the same key, with one of them revoked
and the other not?  Is GnuPG refusing to make a new signature when
the old one is revoked a bug?

Best regards,
Michał Górny

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list