Unable to issue subkey revocation
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 1 04:21:12 CEST 2026
> You might take a look at my forum posts. https://forum.gnupg.org/t/
> unable-to-issue-subkey-revocation/7288
> The subjey is not revoked.
As has been explained to you many times now, both here and in the forum,
revoking the primary key implicitly revokes all the subkeys which depend
upon it for validity.
$ gpg --fixed-list-mode --with-colons --list-sig B44427C7
[irrelevant certificate information removed]
pub:u:3072:1:1DCBDC01B44427C7:1437075659:::u:::scESC::::::23::0:
sub:u:3072:1:DC0F82625FA6AADE:1437075659::::::e::::::23:
sig:::1:1DCBDC01B44427C7:1437075659::::
Robert J. Hansen <rob at hansen.engineering>:18x:::::8:
The first line, 'pub', identifies the root of my certificate. The second
line, 'sub', identifies a secondary chunk of key material -- a subkey.
The third line, 'sig', is my certificate root attesting that the subkey
should be trusted as coming from me.
When and if the pubkey gets revoked, the self-signature on subkeys
ceases to be trusted. After all, it's a signature from a revoked key.
A subkey without a trusted self-signature is a nullity. They're not
allowed to be used. It really is that simple.
I would point you to chapter and verse of the RFCs, but you've also said
in the forum that "I wouldn't trust modern RFCs."
We seem to be at an impasse. We are telling you facts and backing them
up by showing you the precise language of the RFC in which these facts
can be found, but you refuse to accept the RFC as a source of ground truth.
> This was a supplemental fix now broke, gen-revoke: https://
> blogs.gentoo.org/mgorny/2019/02/20/gen-revoke-extending-revocation-
> certificates-to-subkeys/
I am unaware of Gentoo ever filing a bug about this. If it's impacting
their workflow we'd love to hear from them about it. But it is also very
possible that you don't understand the problem that shellscript exists
to solve, and are misusing it yourself, and thinking that it's buggy
when it's not giving you the results you want.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260531/6a821a3e/attachment.sig>
More information about the Gnupg-users
mailing list