[pkg-gnupg-maint] Bug#1101007: regression: gpg --edit-key clean removes signature that was kept in 2.2.45
Uwe Kleine-König
ukleinek at debian.org
Thu Mar 27 17:51:46 GMT 2025
Hello,
On Mon, Mar 24, 2025 at 04:55:20PM +0100, Uwe Kleine-König wrote:
> On Fri, Mar 21, 2025 at 06:43:19PM +0100, Uwe Kleine-König wrote:
> > Package: gnupg
> > Version: 2.2.46-5
> > Severity: normal
> > X-Debbugs-Cc: ukleinek at debian.org
> >
> > Hello,
> >
> > uwe at taurus:~$ keyringgpghome="$(mktemp -d)"
> >
> > uwe at taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key tgamblin at baylibre.com u.kleine-koenig at baylibre.com
> > gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
> > gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
> > gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König <u.kleine-koenig at baylibre.com>" imported
> > gpg: Total number processed: 1
> > gpg: imported: 1
> > gpg: no ultimately trusted keys found
> > gpg: key B0D589D46708EC99: public key "Trevor Gamblin <tgamblin at baylibre.com>" imported
> > gpg: Total number processed: 1
> > gpg: imported: 1
> > gpg: no ultimately trusted keys found
> > pub rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
> > 0D2511F322BFAB1C1580266BE2DCDD9132669BD6
> > uid [ unknown] Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048 2023-03-17 [A] [expires: 2027-06-21]
> > sub rsa2048 2023-03-17 [S] [expires: 2027-06-21]
> > sub rsa2048 2023-03-17 [E] [expires: 2027-06-21]
> >
> > pub rsa4096 2024-11-19 [C] [expires: 2026-11-19]
> > A3A9D4BDAB1069811F48D30EB0D589D46708EC99
> > uid [ unknown] Trevor Gamblin <tgamblin at baylibre.com>
> > sub cv25519 2024-11-19 [E]
> > sub ed25519 2024-11-19 [S]
> > sub ed25519 2024-11-19 [A]
> >
> > uwe at taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
> > pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
> > uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig at baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
> > sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin <tgamblin at baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:
> >
> > So my key E2DCDD9132669BD6 has a signature by Trevor's key.
> >
> > uwe at taurus:~$ gpg --homedir "$keyringgpghome" --edit-key E2DCDD9132669BD6 clean save
> > gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> >
> > pub rsa4096/E2DCDD9132669BD6
> > created: 2010-06-15 expires: 2027-06-21 usage: SC
> > trust: unknown validity: unknown
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/DB334D9FBE6A05BF
> > created: 2015-01-11 revoked: 2023-03-17 usage: A
> > The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa4096/3C3A2D28B94A2928
> > created: 2010-06-15 revoked: 2015-01-11 usage: E
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/C1FC1478ADCAEC09
> > created: 2015-01-11 revoked: 2023-03-17 usage: S
> > sub rsa2048/B29A43280A6EF95B
> > created: 2023-03-17 expires: 2027-06-21 usage: A
> > sub rsa2048/8F80FB587D12FE4E
> > created: 2023-03-17 expires: 2027-06-21 usage: S
> > sub rsa2048/120E75698E64909B
> > created: 2023-03-17 expires: 2027-06-21 usage: E
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/F2FF566A57C91BC7
> > created: 2015-01-11 revoked: 2023-03-17 usage: E
> > [ unknown] (1). Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> >
> > User ID "Uwe Kleine-König <u.kleine-koenig at baylibre.com>": 7 signatures removed
> >
> > pub rsa4096/E2DCDD9132669BD6
> > created: 2010-06-15 expires: 2027-06-21 usage: SC
> > trust: unknown validity: unknown
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/DB334D9FBE6A05BF
> > created: 2015-01-11 revoked: 2023-03-17 usage: A
> > The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa4096/3C3A2D28B94A2928
> > created: 2010-06-15 revoked: 2015-01-11 usage: E
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/C1FC1478ADCAEC09
> > created: 2015-01-11 revoked: 2023-03-17 usage: S
> > sub rsa2048/B29A43280A6EF95B
> > created: 2023-03-17 expires: 2027-06-21 usage: A
> > sub rsa2048/8F80FB587D12FE4E
> > created: 2023-03-17 expires: 2027-06-21 usage: S
> > sub rsa2048/120E75698E64909B
> > created: 2023-03-17 expires: 2027-06-21 usage: E
> > The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> > sub rsa2048/F2FF566A57C91BC7
> > created: 2015-01-11 revoked: 2023-03-17 usage: E
> > [ unknown] (1). Uwe Kleine-König <u.kleine-koenig at baylibre.com>
> >
> > uwe at taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
> > pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
> > uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig at baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
> >
> > So "clean"ing my key removed Trevor's signature.
>
> To expand the set of affected sample data: If you do the above and import the
> keys for
> u.kleine-koenig at baylibre.com
> khilman at baylibre.com
> mkorpershoek at baylibre.com
> dlechner at baylibre.com
> tgamblin at baylibre.com
>
> cleaning the first four keys removes (only) all the signatures by Trevor.
>
> The kernel pgp keyring has some more examples it seems:
>
> git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git
> cd pgpkeys
> keyringgpghome="$(mktemp -d)"
> gpg --homedir "$keyringgpghome" --import keys/*.asc
> gpg --homedir "$keyringgpghome" --export > keyring-2.2.46
> gpg --homedir "$keyringgpghome" --export --export-options export-clean > keyring-2.2.46-clean
>
> and repeating the same with gpg 2.2.45, I get:
>
> $ ls -lS keyring-*
> -rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:39 keyring-2.2.45
> -rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:37 keyring-2.2.46
> -rw-rw-r-- 1 uwe uwe 8199427 Mar 24 16:40 keyring-2.2.45-clean
> -rw-rw-r-- 1 uwe uwe 8162407 Mar 24 16:37 keyring-2.2.46-clean
>
> The cleaned keyring exported by 2.2.46 is considerably smaller, so
> 2.2.46 cleaned more aggressively. Looking at the output of
>
> diff -u <(gpg --list-packets keyring-2.2.45-clean | grep "issuer key" | sort) <(gpg --list-packets keyring-2.2.46-clean | grep "issuer key" | sort)
>
> there are differences in both directions (i.e. signatures that are only
> removed by 2.2.45 and others that are only removed by 2.2.46). At least
> that is my interpretation given there are + and - lines. I didn't try to
> inspect the data to judge for each difference which version of gnupg is
> correct.
JFTR: I did check some of the ones that gpg 2.2.45 removed. All but
pub:-:4064:1:26BCFA05FCF60E4C:1464562073:1779922073::-:::scESC::::::::0:
fpr:::::::::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:
uid:-::::1727161650::90AF1B0CCF60A66F8C25A9779B5F6580A67B72CE::Marek Behún <kabel at kernel.org>::::::::::0:
-sig:::1:26BCFA05FCF60E4C:1663342750::::Marek Behún <kabel at kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
sig:::1:26BCFA05FCF60E4C:1727161650::::Marek Behún <kabel at kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::10:
uid:-::::1727161645::6021E246B2D94BF22E0DF15A8BD6E73079859DC0::Marek Behun <kabel at blackhole.sk>::::::::::0:
-sig:::1:26BCFA05FCF60E4C:1556565206::::Marek Behún <kabel at kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
-sig:::1:BD6A501CB78B7C26:1556571913::::Jacek Anaszewski <jacek.anaszewski at gmail.com>:10x::BF1DFC0A568F05F795757090BD6A501CB78B7C26:::8:
sig:::1:26BCFA05FCF60E4C:1727161645::::Marek Behún <kabel at kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::10:
uid:-::::1556564998::3D89AAFC785B5B4E4D125A8D9DD223C8ACCB21FD::Marek Behún <marek.behun at nic.cz>::::::::::0:
sig:::1:26BCFA05FCF60E4C:1556564998::::Marek Behún <kabel at kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
sub:-:4064:1:B81F800D3C7D948E:1464562073:1779922073:::::e:::::::
fpr:::::::::CA49A590D97148D89162602CB81F800D3C7D948E:
sig:::1:26BCFA05FCF60E4C:1464562073::::Marek Behún <kabel at kernel.org>:18x:::::8:
(The lines marked with - are dropped by cleaning with 2.2.45-2)
I do understand (drops signatures of expired keys, all but the newest
self-sig). Here I fail to see why Jacek's signature is removed. I
guess it is related to the key having validity '-' and so the signatures
on it are unusable and so dropped. (Why this key isn't valid however is
a mystery to me.)
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250327/64be4887/attachment.sig>
More information about the pkg-gnupg-maint
mailing list