Key corruption: duplicate signatures and usage flags

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Key corruption: duplicate signatures and usage flags

martin f krafft-2
Hey,

My key on the keyservers is 0x55C9882D999BBCC4. If I download this
to a fresh keyring, I get some weird behaviours:

  % alias gpg='gpg --homedir=.'
  % gpg --recv-key 0x55C9882D999BBCC4
  gpg: keybox '/home/ssd/madduck/.tmp/cdt.p0R8ly/pubring.kbx' created
  gpg: /home/ssd/madduck/.tmp/cdt.p0R8ly/trustdb.gpg: trustdb created
  gpg: key 55C9882D999BBCC4: public key "Martin F. Krafft <[hidden email]>" imported
  gpg: no ultimately trusted keys found
  gpg: Total number processed: 1
  gpg:               imported: 1

  % gpg --list-keys !$
  gpg --list-keys 0x55C9882D999BBCC4
  pub   rsa4096 2009-07-06 [SC] [expires: 2020-02-01]
      2CCB26BC5C49BC221F20794255C9882D999BBCC4
  uid           [ unknown] Martin F. Krafft <[hidden email]>
  uid           [ unknown] Martin F. Krafft <[hidden email]>
  uid           [ unknown] Martin F. Krafft (Debian) <[hidden email]>
  uid           [ unknown] [jpeg image of size 2160]
  sub   rsa4096 2016-07-01 [E] [expires: 2018-02-01]
  sub   rsa4096 2016-12-01 [S] [expires: 2018-02-01]
  sub   rsa4096 2016-12-01 [A] [expires: 2018-02-01]

So far, so good. Do note the [SC] usage flags.

And then check this out:

  % gpg --edit-key 0x55C9882D999BBCC4
  gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  uid  Martin F. Krafft <[hidden email]>
  sig!3        55C9882D999BBCC4 2009-07-06 never       [self-signature]
  sig!3        55C9882D999BBCC4 2017-06-07 never       [self-signature]*
              [expires: 2020-02-01 11:20:11]
  sig!3        55C9882D999BBCC4 2009-07-06 never       [self-signature]
    x-hkp://pool.sks-keyservers.net

  […]

  sub  AD18B605905834CC
  sig!    P    55C9882D999BBCC4 2015-07-01 never       [self-signature]*
    Signature policy: http://martin-krafft.net/gpg/cert-policy/55c9882d999bbcc4/201412051354?sha512sum=a5f417ebe563ed63cc3bbc4b14da4983e30d8ada7b2ba94b6de5e7a74bee6ab55c6ca307e163c33a6bf242e8ce4ca5fe99a271dd3b41626d3b4a10203a5c7225
              [expires: 2010-08-07 08:37:18]

  […]

  key 55C9882D999BBCC4:
  24 duplicate signatures removed

That's a bit weird. Where do these come from?

But there's more: now the usage flag of the primary key has been
changed to just 'C' (which is what I uploaded), and …

  pub  rsa4096/55C9882D999BBCC4
      created: 2009-07-06  expires: 2020-02-01  usage: C
      trust: unknown       validity: unknown
  […]

… a subsequent save spews a weird list of "Preferred keyserver:"
text to stdout, but now the usage flag of the primary key is also
just [C] in the --list-keys output:

  gpg> save
  Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %

  % gpg --list-keys 0x55C9882D999BBCC4
  pub   rsa4096 2009-07-06 [C] [expires: 2020-02-01]
        2CCB26BC5C49BC221F20794255C9882D999BBCC4
  […]

Do you have any idea what might be going on here? Is this a problem,
or just cosmetic? Is it fixable? How?

--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"life moves pretty fast. if you don't stop and look around once in
 a while, you could miss it."
                                                     -- ferris bueller
 
spamtraps: [hidden email]

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

digital_signature_gpg.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Teemu Likonen
martin f. krafft [2017-06-21 11:03:40+02] wrote:

>   24 duplicate signatures removed
>
> That's a bit weird. Where do these come from?

I've seen the message with other keys too, just after --edit-key. The
number of duplicate signatures varies. Next --refresh-keys command
downloads the signatures back.

I tried your key and got the same results.

--
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Justus Winter
In reply to this post by martin f krafft-2
martin f krafft <[hidden email]> writes:

> Hey,
>
> My key on the keyservers is 0x55C9882D999BBCC4. If I download this
> to a fresh keyring, I get some weird behaviours:

gpg --version please?

>   % alias gpg='gpg --homedir=.'

I tend to do: $ export GNUPGHOME=$(mktemp -d)

> So far, so good. Do note the [SC] usage flags.

What are the capabilities of your primary key supposed to be?

>   key 55C9882D999BBCC4:
>   24 duplicate signatures removed
>
> That's a bit weird. Where do these come from?

Not sure, but anyone can append stuff to your key on the keyservers.
Maybe some faulty software reordered the packages and uploaded it?

> But there's more: now the usage flag of the primary key has been
> changed to just 'C' (which is what I uploaded), and …
>
>   pub  rsa4096/55C9882D999BBCC4
>       created: 2009-07-06  expires: 2020-02-01  usage: C
>       trust: unknown       validity: unknown
>   […]
>
> … a subsequent save spews a weird list of "Preferred keyserver:"
> text to stdout, but now the usage flag of the primary key is also
> just [C] in the --list-keys output:
>
>   gpg> save
>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %
>
>   % gpg --list-keys 0x55C9882D999BBCC4
>   pub   rsa4096 2009-07-06 [C] [expires: 2020-02-01]
>         2CCB26BC5C49BC221F20794255C9882D999BBCC4
>   […]
This is odd indeed.


Justus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Guilhem Moulin
In reply to this post by martin f krafft-2
Hi Martin,

On Wed, 21 Jun 2017 at 11:03:40 +0200, martin f krafft wrote:
> And then check this out:
>
> % gpg --edit-key 0x55C9882D999BBCC4
> […]
>
> key 55C9882D999BBCC4:
> 24 duplicate signatures removed
>
> That's a bit weird. Where do these come from?

The OpenPGP packets were not ordered properly, and gpg tried to clean
that up.  (Typically the signatures were placed under a subkey or the
wrong UID, then reordered to be placed under the proper component;
duplicate sigs currently arise when the key is refreshed.)  See issue
2236 for details and background: https://dev.gnupg.org/T2236

Cheers,
--
Guilhem.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Justus Winter
In reply to this post by martin f krafft-2
martin f krafft <[hidden email]> writes:

> And then check this out:
>
>   % gpg --edit-key 0x55C9882D999BBCC4
>   gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
>   This is free software: you are free to change and redistribute it.
>   There is NO WARRANTY, to the extent permitted by law.
>
>   uid  Martin F. Krafft <[hidden email]>
>   sig!3        55C9882D999BBCC4 2009-07-06 never       [self-signature]
>   sig!3        55C9882D999BBCC4 2017-06-07 never       [self-signature]*
>               [expires: 2020-02-01 11:20:11]
>   sig!3        55C9882D999BBCC4 2009-07-06 never       [self-signature]
>     x-hkp://pool.sks-keyservers.net
Here  ^ is the keyserver url.

>   […]
>
>   gpg> save
>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %

And these are the labels for these urls.  This was a cosmetic problem
that I just fixed.



Justus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

martin f krafft-2
In reply to this post by Justus Winter
Hey Justus, thanks for writing in. Here are the answers you wanted:

> gpg --version please?

2.1.18

> > So far, so good. Do note the [SC] usage flags.
>
> What are the capabilities of your primary key supposed to be?

There were [SC] when I created it, but I've recently changed to
a signing subkey and removed the flag from the primary key.

> >   key 55C9882D999BBCC4:
> >   24 duplicate signatures removed
> >
> > That's a bit weird. Where do these come from?
>
> Not sure, but anyone can append stuff to your key on the keyservers.
> Maybe some faulty software reordered the packages and uploaded it?

Yeah could be. And while there's no way this can be fixed, it also
doesn't really harm, does it?

--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"getting a scsi chain working is perfectly simple if you remember that
 there must be exactly three terminations: one on one end of the
 cable, one on the far end, and the goat, terminated over the scsi
 chain with a silver-handled knife whilst burning *black* candles."
                                                     -- anthony deboer
 
spamtraps: [hidden email]

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

digital_signature_gpg.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Teemu Likonen
In reply to this post by Justus Winter
Justus Winter [2017-06-21 15:10:52+02] wrote:

> martin f krafft <[hidden email]> writes:
>>     x-hkp://pool.sks-keyservers.net
>
> Here  ^ is the keyserver url.

>>   gpg> save
>>   Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: %
>
> And these are the labels for these urls.  This was a cosmetic problem
> that I just fixed.

There is similar cosmetic problem with --update-trustdb:

    [...]
    No trust value assigned to:
    pub   rsa4096 XXXX-XX-XX [SC]
          [...]
     Primary key fingerprint: [...]

    Please decide how far you trust this user to correctly verify other
    users' keys (by looking at passports, checking fingerprints from
    different sources, etc.)

      1 = I don't know or won't say
      2 = I do NOT trust
      3 = I trust marginally
      4 = I trust fully
      s = skip this key
      q = quit

    Your decision? 4
    gpg: depth: 4  valid:  17  signed:  13  trust: 0-, 0q, 0n, 3m, 14f, 0u
    gpg: next trustdb check due at 2017-09-09

And when the whole session is over gpg prints fingerprints of _all_ keys
that got their ownertrust updated.

--
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Justus Winter
In reply to this post by martin f krafft-2
martin f krafft <[hidden email]> writes:

> [ Unknown signature status ]
> Hey Justus, thanks for writing in. Here are the answers you wanted:
>
>> gpg --version please?
>
> 2.1.18
>
>> > So far, so good. Do note the [SC] usage flags.
>>
>> What are the capabilities of your primary key supposed to be?
>
> There were [SC] when I created it, but I've recently changed to
> a signing subkey and removed the flag from the primary key.
Interesting.  Thanks for clarifying.

>> >   key 55C9882D999BBCC4:
>> >   24 duplicate signatures removed
>> >
>> > That's a bit weird. Where do these come from?
>>
>> Not sure, but anyone can append stuff to your key on the keyservers.
>> Maybe some faulty software reordered the packages and uploaded it?
>
> Yeah could be. And while there's no way this can be fixed, it also
> doesn't really harm, does it?
No, it does (should) not harm.  Future versions of GnuPG will check and
clean keys automatically when (re-)fetching them from keyservers.

Justus

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

MFPA-5
In reply to this post by martin f krafft-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 22 June 2017 at 12:22:46 PM, in
<mid:[hidden email]>,
martin f krafft wrote:-


> There were [SC] when I created it, but I've recently
> changed to
> a signing subkey and removed the flag from the
> primary key.

I didn't know you could remove a usage flag once the key was on the
keyservers. And I thought GnuPG would automatically sign with a valid
signing subkey if there was one.


- --
Best regards

MFPA                  <mailto:[hidden email]>

INFLATION: Cutting money in half without damaging the paper.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWUxFtV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5JFNAP0evo6Ziei4r/zDdVrIhCrZZkxFWvM316G41D4aDTiG4AEAlLS+jHSLczWO
U1blAUeOJgOu0GY0GPIrdRwGS6zF1gaJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWUxFw18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8NLGB/sHjV7fL4g8noTDAXxcYbCyfYAX
NJkdUdouonQYqvMR7Ax8AA2EPWbnt9AKb/GgLUlEG8dz44WwxzXeP2aShGu8VVW7
NX9EenA03pUp1DS6Xj3hj8GOQ6nPr6Wswn0e2pHnMUhRGvGwZXav6yu/Q074OIK3
CEAPwkSEmokYvNfwpSMfLbmKgTCf4Ty3Zmqa96huUnmukrBvgmd+v5UTANVVG9n6
jL8iD+JmsCrW+BZ2u6VR9mPU3hvyps91O/bktH96wSfRRWNTMD3UCXcKloK7K42Z
2ezwosg2DXwWTfEgwOFxkLXXAPpW5NhMEYiQtZlKtb8k09bzXBJN/8nqd+Tp
=aY7r
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

martin f krafft-2
also sprach MFPA <[hidden email]> [2017-06-23 00:33 +0200]:
> I didn't know you could remove a usage flag once the key was on the
> keyservers.

Well, it somehow seems to work, apart from the fact that gnupg first
needs to clean up the key (using --edit-key) after downloading the
modified version from the keyservers.

> And I thought GnuPG would automatically sign with a valid signing
> subkey if there was one.

It does this independently, yes.

--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"work consists of whatever a body is obliged to do.
 play consists of whatever a body is not obliged to do."
                                                       -- mark twain
 
spamtraps: [hidden email]

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

digital_signature_gpg.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Werner Koch
In reply to this post by MFPA-5
On Fri, 23 Jun 2017 00:33, [hidden email] said:

> I didn't know you could remove a usage flag once the key was on the

Those flags are tracked in self-signatures.  When changing a flag a new
self-signature is used.  This will be uploaded to the keyserver.  gpg
uses the flags from the latest self-signature it has.

Note that revocations are also self-signatures (using a different class
and not "flags", though).


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

martin f krafft-2
also sprach Werner Koch <[hidden email]> [2017-06-23 09:40 +0200]:
> Those flags are tracked in self-signatures.  When changing a flag
> a new self-signature is used.  This will be uploaded to the
> keyserver.  gpg uses the flags from the latest self-signature it
> has.

So how does this explain

  % export GNUPGHOME=$(mktemp -d)
  % gpg --recv-key 55C9882D999BBCC4
  % gpg --list-key 55C9882D999BBCC4 | grep '^pub'   # [SC]
  % gpg --edit-key 55C9882D999BBCC4 save
  % gpg --list-key 55C9882D999BBCC4 | grep '^pub'   # [C]

Are you saying that gnupg 2.1.18 added the self-signature in the
wrong place?

Thanks,

--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"i wish i hadn't slept all day, it's really lowered my productivity"
                                                   -- robert mcqueen
 
spamtraps: [hidden email]

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

digital_signature_gpg.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Key corruption: duplicate signatures and usage flags

Werner Koch
On Fri, 23 Jun 2017 10:02, [hidden email] said:

> Are you saying that gnupg 2.1.18 added the self-signature in the
> wrong place?

There is no right or wrong place.  gpg uses the latest valid
self-signature according to the timestamp in the self-signature.  Use
--with-colons to see the full timestamps (cf. doc/DETAILS).

Probably unrelated: --list-keys does not check the key signatures; you
need to use --check-sigs.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Loading...