How can certifications of revoked keys be detected? Invalid key shown as valid...

Hauke Laging mailinglisten at hauke-laging.de
Thu Nov 8 05:47:16 CET 2012 

Hello,

I just made some tests to find out how gpg reacts to the listing of signatures 
if a key is revoked. Unfortunately I cannot find any difference. I ran 
--check-trustdb after the revocation, but the certification of the revoked key 
is still listed as

sig!2

--edit-key check
does not show any difference either. I do not even find something about that 
in the documentation. It says for --check-sigs:

«A "!" indicates that the signature has been successfully verified, a "-" 
denotes a bad signature and a "%" is used if an error occurred while checking 
the signature (e.g. a non supported algorithm).»

Is a signature of a revoked key a "bad signature"? If not, how is that status 
displayed? I have not found any information about that in the documentation.




Even worse: The validity of the key was calculated wrongly because the 
certifications were treated like ones from a valid key:

start cmd:> gpg --list-keys 0x756A032D
pub   1024R/0x756A032D 2012-11-07
uid         [ vollst.] import this uid
uid         [ vollst.] unsigned uid

("vollst." is German for "complete"). I had set the ownertrust level for this 
key to "marginal" (it's a test key for which I have the private key). Then I 
deleted the signatures of the revoked key. After that the key validity was 
shown as "unknown" ("unbek." in the German output):

start cmd:> gpg --list-keys 0x756A032D
gpg: "Trust-DB" wird überprüft
[...]
pub   1024R/0x756A032D 2012-11-07
uid         [  unbek.] import this uid
uid         [  unbek.] unsigned uid

Is the web of trust really supposed to "work" this way? :-/

My Google search showed me a similar discussion, four years old:
http://bugs.g10code.com/gnupg/issue910
The there mentioned --no-sig-cache didn't make any difference either.

start cmd:> gpg --version
gpg (GnuPG) 2.0.18
libgcrypt 1.5.0


Hauke
-- 
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121108/33292e47/attachment.pgp>

More information about the Gnupg-users mailing list