[PATCH] gpg: Exclude revoked UTKs from the key validation process.
Philip
pl at gnupg.org
Mon Jun 15 14:14:05 CEST 2026
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
thank you for the report.
On Sun, 7 Jun 2026 18:36:53 +0200
Glop via Gnupg-devel <gnupg-devel at gnupg.org> wrote:
> In order to reproduce this:
> 1. Generate a new public/secret key pair (say, MyKey).
> 2. Import a new public key in the keyring (say, OtherKey).
> 3. Sign OtherKey using MyKey.
> 4. Check that OtherKey has now `full` validity.
> 5. Revoke MyKey.
> 6. Run `gpg --check-trustdb` to forcefully update the trust DB.
> 7. Check the validity of OtherKey: it still shows `full`, while
> it should in fact be `unknown`, since MyKey's signature should
> not be trusted anymore.
>
> I tried this on the GnuPG 2.4 and 2.5 branches, and both are impacted.
I could not reproduce this with GnuPG 2.4.9 and 2.5.20.
After Step 6 `gpg --check-trustdb` the formerly "[ full ]" trusted
key is shown with "[ unknown]" trust.
In your test, was the 'OtherKey' maybe signed by any other keys than
'MyKey'?
Philip
-----BEGIN PGP SIGNATURE-----
iJEEARYKADkWIQR0sOOYYQjr3oh+QUt7hfBywO1/7gUCai/sjRsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMiwyLDIACgkQe4XwcsDtf+4dhAEAjYb4ooEWttws+l6Vm5Ow
PFrXaxMp8Td1TMwlD0tVfx0A/0xHWtFrDY+Srov2xJwT2AohXJwL2Ca+ABK+qBoO
IC4K
=XtYK
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list