Is replacing a revoked signature valid?
Tony Lane
codeguro at gmail.com
Fri Nov 1 20:53:31 CET 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 11/1/19 2:50 PM, Michał Górny via Gnupg-users wrote:
> However, the original signature was revoked, so it's obviously no longer
> valid. Now, I am able to work around this by deleting the old
> signatures from local copy of the key, and signing it afterwards. After
> refreshing to get the old signature back along with its revocation, GPG
> seems to still consider the key valid (wrt new signature).
>
> My question: is the end result correct? That is, is it portable to have
> two signatures made using the same key, with one of them revoked
> and the other not? Is GnuPG refusing to make a new signature when
> the old one is revoked a bug?
The result is correct. When you revoke a signature, your exported signatures
will have the revocation of that key/signature. So it makes no sense to
sign it twice. You are better off instead cleaning your key such that the
the revoked key(s) and any other IDs no longer usable (expired, for instance)
are removed entirely. This will allow you to sign them "afresh" again.
See https://gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#index-keyedit_003aclean
-----BEGIN PGP SIGNATURE-----
iLcEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXbyNOwAKCRDo8fj9gx4T
03IcAgjyNu7eUJmqzxqJITp0vPf3mxPJ2OFU7J1zYUoiL+P3/dCaIbG8RL2JPkXG
6JDknzfJa6f3x+Jq/nwTNiMxS+q6DQIIhCthVJWCFW7wqwZ6jU3D1YxXW3QyqxSa
970UJrUYquhH/ZBGEZcJybUWEGKl3J8x5qYhlc5rzzSMR6D4jawNJI4=
=o9wv
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list