[pkg-gnupg-maint] Bug#1101007: regression: gpg --edit-key clean removes signature that was kept in 2.2.45
Uwe Kleine-König
ukleinek at debian.org
Mon Mar 24 15:55:20 GMT 2025
Hello,
On Fri, Mar 21, 2025 at 06:43:19PM +0100, Uwe Kleine-König wrote:
> Package: gnupg
> Version: 2.2.46-5
> Severity: normal
> X-Debbugs-Cc: ukleinek at debian.org
>
> Hello,
>
> uwe at taurus:~$ keyringgpghome="$(mktemp -d)"
>
> uwe at taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key tgamblin at baylibre.com u.kleine-koenig at baylibre.com
> gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
> gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
> gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König <u.kleine-koenig at baylibre.com>" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: no ultimately trusted keys found
> gpg: key B0D589D46708EC99: public key "Trevor Gamblin <tgamblin at baylibre.com>" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: no ultimately trusted keys found
> pub rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
> 0D2511F322BFAB1C1580266BE2DCDD9132669BD6
> uid [ unknown] Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048 2023-03-17 [A] [expires: 2027-06-21]
> sub rsa2048 2023-03-17 [S] [expires: 2027-06-21]
> sub rsa2048 2023-03-17 [E] [expires: 2027-06-21]
>
> pub rsa4096 2024-11-19 [C] [expires: 2026-11-19]
> A3A9D4BDAB1069811F48D30EB0D589D46708EC99
> uid [ unknown] Trevor Gamblin <tgamblin at baylibre.com>
> sub cv25519 2024-11-19 [E]
> sub ed25519 2024-11-19 [S]
> sub ed25519 2024-11-19 [A]
>
> uwe at taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
> pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
> uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig at baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
> sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin <tgamblin at baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:
>
> So my key E2DCDD9132669BD6 has a signature by Trevor's key.
>
> uwe at taurus:~$ gpg --homedir "$keyringgpghome" --edit-key E2DCDD9132669BD6 clean save
> gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
>
> pub rsa4096/E2DCDD9132669BD6
> created: 2010-06-15 expires: 2027-06-21 usage: SC
> trust: unknown validity: unknown
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/DB334D9FBE6A05BF
> created: 2015-01-11 revoked: 2023-03-17 usage: A
> The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa4096/3C3A2D28B94A2928
> created: 2010-06-15 revoked: 2015-01-11 usage: E
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/C1FC1478ADCAEC09
> created: 2015-01-11 revoked: 2023-03-17 usage: S
> sub rsa2048/B29A43280A6EF95B
> created: 2023-03-17 expires: 2027-06-21 usage: A
> sub rsa2048/8F80FB587D12FE4E
> created: 2023-03-17 expires: 2027-06-21 usage: S
> sub rsa2048/120E75698E64909B
> created: 2023-03-17 expires: 2027-06-21 usage: E
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/F2FF566A57C91BC7
> created: 2015-01-11 revoked: 2023-03-17 usage: E
> [ unknown] (1). Uwe Kleine-König <u.kleine-koenig at baylibre.com>
>
> User ID "Uwe Kleine-König <u.kleine-koenig at baylibre.com>": 7 signatures removed
>
> pub rsa4096/E2DCDD9132669BD6
> created: 2010-06-15 expires: 2027-06-21 usage: SC
> trust: unknown validity: unknown
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/DB334D9FBE6A05BF
> created: 2015-01-11 revoked: 2023-03-17 usage: A
> The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa4096/3C3A2D28B94A2928
> created: 2010-06-15 revoked: 2015-01-11 usage: E
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/C1FC1478ADCAEC09
> created: 2015-01-11 revoked: 2023-03-17 usage: S
> sub rsa2048/B29A43280A6EF95B
> created: 2023-03-17 expires: 2027-06-21 usage: A
> sub rsa2048/8F80FB587D12FE4E
> created: 2023-03-17 expires: 2027-06-21 usage: S
> sub rsa2048/120E75698E64909B
> created: 2023-03-17 expires: 2027-06-21 usage: E
> The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> sub rsa2048/F2FF566A57C91BC7
> created: 2015-01-11 revoked: 2023-03-17 usage: E
> [ unknown] (1). Uwe Kleine-König <u.kleine-koenig at baylibre.com>
>
> uwe at taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
> pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
> uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig at baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
>
> So "clean"ing my key removed Trevor's signature.
To expand the set of affected sample data: If you do the above and import the
keys for
u.kleine-koenig at baylibre.com
khilman at baylibre.com
mkorpershoek at baylibre.com
dlechner at baylibre.com
tgamblin at baylibre.com
cleaning the first four keys removes (only) all the signatures by Trevor.
The kernel pgp keyring has some more examples it seems:
git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git
cd pgpkeys
keyringgpghome="$(mktemp -d)"
gpg --homedir "$keyringgpghome" --import keys/*.asc
gpg --homedir "$keyringgpghome" --export > keyring-2.2.46
gpg --homedir "$keyringgpghome" --export --export-options export-clean > keyring-2.2.46-clean
and repeating the same with gpg 2.2.45, I get:
$ ls -lS keyring-*
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:39 keyring-2.2.45
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:37 keyring-2.2.46
-rw-rw-r-- 1 uwe uwe 8199427 Mar 24 16:40 keyring-2.2.45-clean
-rw-rw-r-- 1 uwe uwe 8162407 Mar 24 16:37 keyring-2.2.46-clean
The cleaned keyring exported by 2.2.46 is considerably smaller, so
2.2.46 cleaned more aggressively. Looking at the output of
diff -u <(gpg --list-packets keyring-2.2.45-clean | grep "issuer key" | sort) <(gpg --list-packets keyring-2.2.46-clean | grep "issuer key" | sort)
there are differences in both directions (i.e. signatures that are only
removed by 2.2.45 and others that are only removed by 2.2.46). At least
that is my interpretation given there are + and - lines. I didn't try to
inspect the data to judge for each difference which version of gnupg is
correct.
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250324/e9c819aa/attachment-0003.sig>
More information about the pkg-gnupg-maint
mailing list