Is replacing a revoked signature valid?
codeguro at gmail.com
Fri Nov 1 20:53:31 CET 2019
-----BEGIN PGP SIGNED MESSAGE-----
On 11/1/19 2:50 PM, Michał Górny via Gnupg-users wrote:
> However, the original signature was revoked, so it's obviously no longer
> valid. Now, I am able to work around this by deleting the old
> signatures from local copy of the key, and signing it afterwards. After
> refreshing to get the old signature back along with its revocation, GPG
> seems to still consider the key valid (wrt new signature).
> My question: is the end result correct? That is, is it portable to have
> two signatures made using the same key, with one of them revoked
> and the other not? Is GnuPG refusing to make a new signature when
> the old one is revoked a bug?
The result is correct. When you revoke a signature, your exported signatures
will have the revocation of that key/signature. So it makes no sense to
sign it twice. You are better off instead cleaning your key such that the
the revoked key(s) and any other IDs no longer usable (expired, for instance)
are removed entirely. This will allow you to sign them "afresh" again.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users