--export-options export-minimal,export-clean includes multiple subkey binding signatures when only one is necessary
Closed, ResolvedPublic

Description

Consider trying to export a public key with a subkey, where that subkey's expiration date or other configuration settings have been updated:

$ gpg --export-options export-minimal,export-clean --export AB9942E6D4A4CFC3412620A749FC7012A5DE03AE | gpg --list-packets | grep ^:
:public key packet:
:user ID packet: "REDACTED <REDACTED>"
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:public sub key packet:
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:signature packet: algo 1, keyid 49FC7012A5DE03AE
:signature packet: algo 1, keyid 49FC7012A5DE03AE
$

both export-clean and export-minimal should drop two of the three subkey binding signatures, and only export the most relevant one.

The most relevant binding signature for a given subkey should be (first match wins):

  • the most recent cryptographically-valid revocation signature, or
  • if signing-capable, the most recent cryptographically-valid signature with a cryptographically-valid cross-sig, or
  • if not signing-capable, the most recent cryptographically-valid signature

Of course, if there is no match at all, the subkey should not be emitted at all anyway in these modes.

dkg created this task.Feb 23 2018, 12:28 AM
dkg created this object in space S1 Public.

This is similar to T3622, but it's not the same thing.

werner triaged this task as Normal priority.Apr 6 2018, 4:39 PM
werner raised the priority of this task from Normal to High.May 28 2018, 7:11 PM
werner closed this task as Resolved.Jul 9 2018, 12:17 PM
werner claimed this task.
werner added a subscriber: werner.

Fixed for 2.2.9.

It is not that easy to create such a case because import meanwhile removes such dups. I created a test case by commenting out

else
  n->flag |= NODE_DELETION_MARK; /* older */

in import.c:check_self_sigs. The deletion works the same way as done in import by looking at a flag set during merge_keys.