Re: Key corruption: duplicate signatures and usage flags

2017-07-25 Thread Werner Koch 
On Fri, 23 Jun 2017 10:02, madd...@madduck.net said:

> Are you saying that gnupg 2.1.18 added the self-signature in the
> wrong place?

There is no right or wrong place.  gpg uses the latest valid
self-signature according to the timestamp in the self-signature.  Use
--with-colons to see the full timestamps (cf. doc/DETAILS).

Probably unrelated: --list-keys does not check the key signatures; you
need to use --check-sigs.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpmMHrTNX9Bv.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-23 Thread martin f krafft 
also sprach Werner Koch  [2017-06-23 09:40 +0200]:
> Those flags are tracked in self-signatures.  When changing a flag
> a new self-signature is used.  This will be uploaded to the
> keyserver.  gpg uses the flags from the latest self-signature it
> has.

So how does this explain

  % export GNUPGHOME=$(mktemp -d)
  % gpg --recv-key 55C9882D999BBCC4
  % gpg --list-key 55C9882D999BBCC4 | grep '^pub'   # [SC]
  % gpg --edit-key 55C9882D999BBCC4 save
  % gpg --list-key 55C9882D999BBCC4 | grep '^pub'   # [C]

Are you saying that gnupg 2.1.18 added the self-signature in the
wrong place?

Thanks,

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"i wish i hadn't slept all day, it's really lowered my productivity"
   -- robert mcqueen
 
spamtraps: madduck.bo...@madduck.net


digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-23 Thread Werner Koch 
On Fri, 23 Jun 2017 00:33, 2014-667rhzu3dc-lists-gro...@riseup.net said:

> I didn't know you could remove a usage flag once the key was on the

Those flags are tracked in self-signatures.  When changing a flag a new
self-signature is used.  This will be uploaded to the keyserver.  gpg
uses the flags from the latest self-signature it has.

Note that revocations are also self-signatures (using a different class
and not "flags", though).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpf9KhOfe870.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-23 Thread martin f krafft 
also sprach MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> [2017-06-23 00:33 
+0200]:
> I didn't know you could remove a usage flag once the key was on the
> keyservers.

Well, it somehow seems to work, apart from the fact that gnupg first
needs to clean up the key (using --edit-key) after downloading the
modified version from the keyservers.

> And I thought GnuPG would automatically sign with a valid signing
> subkey if there was one.

It does this independently, yes.

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"work consists of whatever a body is obliged to do.
 play consists of whatever a body is not obliged to do."
   -- mark twain
 
spamtraps: madduck.bo...@madduck.net


digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 22 June 2017 at 12:22:46 PM, in
,
martin f krafft wrote:-


> There were [SC] when I created it, but I've recently
> changed to
> a signing subkey and removed the flag from the
> primary key.

I didn't know you could remove a usage flag once the key was on the
keyservers. And I thought GnuPG would automatically sign with a valid
signing subkey if there was one.


- --
Best regards

MFPA  

INFLATION: Cutting money in half without damaging the paper.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWUxFtV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5JFNAP0evo6Ziei4r/zDdVrIhCrZZkxFWvM316G41D4aDTiG4AEAlLS+jHSLczWO
U1blAUeOJgOu0GY0GPIrdRwGS6zF1gaJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWUxFw18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8NLGB/sHjV7fL4g8noTDAXxcYbCyfYAX
NJkdUdouonQYqvMR7Ax8AA2EPWbnt9AKb/GgLUlEG8dz44WwxzXeP2aShGu8VVW7
NX9EenA03pUp1DS6Xj3hj8GOQ6nPr6Wswn0e2pHnMUhRGvGwZXav6yu/Q074OIK3
CEAPwkSEmokYvNfwpSMfLbmKgTCf4Ty3Zmqa96huUnmukrBvgmd+v5UTANVVG9n6
jL8iD+JmsCrW+BZ2u6VR9mPU3hvyps91O/bktH96wSfRRWNTMD3UCXcKloK7K42Z
2ezwosg2DXwWTfEgwOFxkLXXAPpW5NhMEYiQtZlKtb8k09bzXBJN/8nqd+Tp
=aY7r
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread Justus Winter 
martin f krafft  writes:

> [ Unknown signature status ]
> Hey Justus, thanks for writing in. Here are the answers you wanted:
>
>> gpg --version please?
>
> 2.1.18
>
>> > So far, so good. Do note the [SC] usage flags.
>> 
>> What are the capabilities of your primary key supposed to be?
>
> There were [SC] when I created it, but I've recently changed to
> a signing subkey and removed the flag from the primary key.

Interesting.  Thanks for clarifying.

>> >   key 55C9882D999BBCC4:
>> >   24 duplicate signatures removed
>> >
>> > That's a bit weird. Where do these come from?
>> 
>> Not sure, but anyone can append stuff to your key on the keyservers.
>> Maybe some faulty software reordered the packages and uploaded it?
>
> Yeah could be. And while there's no way this can be fixed, it also
> doesn't really harm, does it?

No, it does (should) not harm.  Future versions of GnuPG will check and
clean keys automatically when (re-)fetching them from keyservers.

Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread Teemu Likonen 
Justus Winter [2017-06-21 15:10:52+02] wrote:

> martin f krafft  writes:
>> x-hkp://pool.sks-keyservers.net
>
> Here  ^ is the keyserver url.

>>   gpg> save
>>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred 
>> keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %
>
> And these are the labels for these urls.  This was a cosmetic problem
> that I just fixed.

There is similar cosmetic problem with --update-trustdb:

[...]
No trust value assigned to:
pub   rsa4096 -XX-XX [SC]
  [...]
 Primary key fingerprint: [...]

Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  s = skip this key
  q = quit

Your decision? 4
gpg: depth: 4  valid:  17  signed:  13  trust: 0-, 0q, 0n, 3m, 14f, 0u
gpg: next trustdb check due at 2017-09-09

And when the whole session is over gpg prints fingerprints of _all_ keys
that got their ownertrust updated.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread martin f krafft 
Hey Justus, thanks for writing in. Here are the answers you wanted:

> gpg --version please?

2.1.18

> > So far, so good. Do note the [SC] usage flags.
> 
> What are the capabilities of your primary key supposed to be?

There were [SC] when I created it, but I've recently changed to
a signing subkey and removed the flag from the primary key.

> >   key 55C9882D999BBCC4:
> >   24 duplicate signatures removed
> >
> > That's a bit weird. Where do these come from?
> 
> Not sure, but anyone can append stuff to your key on the keyservers.
> Maybe some faulty software reordered the packages and uploaded it?

Yeah could be. And while there's no way this can be fixed, it also
doesn't really harm, does it?

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"getting a scsi chain working is perfectly simple if you remember that
 there must be exactly three terminations: one on one end of the
 cable, one on the far end, and the goat, terminated over the scsi
 chain with a silver-handled knife whilst burning *black* candles."
 -- anthony deboer
 
spamtraps: madduck.bo...@madduck.net


digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-21 Thread Guilhem Moulin 
Hi Martin,

On Wed, 21 Jun 2017 at 11:03:40 +0200, martin f krafft wrote:
> And then check this out:
> 
> % gpg --edit-key 0x55C9882D999BBCC4
> […]
> 
> key 55C9882D999BBCC4:
> 24 duplicate signatures removed
> 
> That's a bit weird. Where do these come from?

The OpenPGP packets were not ordered properly, and gpg tried to clean
that up.  (Typically the signatures were placed under a subkey or the
wrong UID, then reordered to be placed under the proper component;
duplicate sigs currently arise when the key is refreshed.)  See issue
2236 for details and background: https://dev.gnupg.org/T2236

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-21 Thread Justus Winter 
martin f krafft  writes:

> And then check this out:
>
>   % gpg --edit-key 0x55C9882D999BBCC4
>   gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
>   This is free software: you are free to change and redistribute it.
>   There is NO WARRANTY, to the extent permitted by law.
>
>   uid  Martin F. Krafft 
>   sig!355C9882D999BBCC4 2009-07-06 never   [self-signature]
>   sig!355C9882D999BBCC4 2017-06-07 never   [self-signature]*
>   [expires: 2020-02-01 11:20:11]
>   sig!355C9882D999BBCC4 2009-07-06 never   [self-signature]
> x-hkp://pool.sks-keyservers.net

Here  ^ is the keyserver url.

>   […]
>
>   gpg> save
>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred 
> keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %

And these are the labels for these urls.  This was a cosmetic problem
that I just fixed.



Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-21 Thread Justus Winter 
martin f krafft  writes:

> Hey,
>
> My key on the keyservers is 0x55C9882D999BBCC4. If I download this
> to a fresh keyring, I get some weird behaviours:

gpg --version please?

>   % alias gpg='gpg --homedir=.'

I tend to do: $ export GNUPGHOME=$(mktemp -d)

> So far, so good. Do note the [SC] usage flags.

What are the capabilities of your primary key supposed to be?

>   key 55C9882D999BBCC4:
>   24 duplicate signatures removed
>
> That's a bit weird. Where do these come from?

Not sure, but anyone can append stuff to your key on the keyservers.
Maybe some faulty software reordered the packages and uploaded it?

> But there's more: now the usage flag of the primary key has been
> changed to just 'C' (which is what I uploaded), and …
>
>   pub  rsa4096/55C9882D999BBCC4
>   created: 2009-07-06  expires: 2020-02-01  usage: C
>   trust: unknown   validity: unknown
>   […]
>
> … a subsequent save spews a weird list of "Preferred keyserver:"
> text to stdout, but now the usage flag of the primary key is also
> just [C] in the --list-keys output:
>
>   gpg> save
>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred 
> keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %
>
>   % gpg --list-keys 0x55C9882D999BBCC4
>   pub   rsa4096 2009-07-06 [C] [expires: 2020-02-01]
> 2CCB26BC5C49BC221F20794255C9882D999BBCC4
>   […]

This is odd indeed.


Justus


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key corruption: duplicate signatures and usage flags

2017-06-21 Thread Teemu Likonen 
martin f. krafft [2017-06-21 11:03:40+02] wrote:

>   24 duplicate signatures removed
>
> That's a bit weird. Where do these come from?

I've seen the message with other keys too, just after --edit-key. The
number of duplicate signatures varies. Next --refresh-keys command
downloads the signatures back.

I tried your key and got the same results.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users