Page MenuHome GnuPG

--export-options export-minimal,export-clean includes multiple subkey binding signatures when only one is necessary
Closed, ResolvedPublic

Description

Consider trying to export a public key with a subkey, where that subkey's expiration date or other configuration settings have been updated:

$ gpg --export-options export-minimal,export-clean --export AB9942E6D4A4CFC3412620A749FC7012A5DE03AE | gpg --list-packets | grep ^:
:public key packet:
:user ID packet: "REDACTED <REDACTED>"
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:public sub key packet:
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:signature packet: algo 1, keyid 49FC7012A5DE03AE
$

both export-clean and export-minimal should drop two of the three subkey binding signatures, and only export the most relevant one.

The most relevant binding signature for a given subkey should be (first match wins):

  • the most recent cryptographically-valid revocation signature, or
  • if signing-capable, the most recent cryptographically-valid signature with a cryptographically-valid cross-sig, or
  • if not signing-capable, the most recent cryptographically-valid signature

Of course, if there is no match at all, the subkey should not be emitted at all anyway in these modes.

Details

Version
2.2.5

Event Timeline

dkg created this object in space S1 Public.

This is similar to T3622, but it's not the same thing.

werner triaged this task as Normal priority.Apr 6 2018, 4:39 PM
werner raised the priority of this task from Normal to High.May 28 2018, 7:11 PM
werner claimed this task.
werner added a subscriber: werner.

Fixed for 2.2.9.

It is not that easy to create such a case because import meanwhile removes such dups. I created a test case by commenting out

else
  n->flag |= NODE_DELETION_MARK; /* older */

in import.c:check_self_sigs. The deletion works the same way as done in import by looking at a flag set during merge_keys.