`gpg --show-keys` can modify the keyring (it is not actually the same as `--dry-run --import-options import-show --import`)
Closed, ResolvedPublic


in particular, when reviewing a file with a revocation certificate, --show-keys actually imports it:

mkdir -m 0700 a b
gpg --homedir $(pwd)/a --yes --batch --passphrase abc123 --pinentry-mode loopback --quick-gen-key 'this is a test'
gpg --homedir a --export | gpg --homedir b --import
gpg --homedir b --list-keys
sed 's/^:-----/-----/' < a/openpgp-revocs.d/*.rev | gpg --homedir b --with-colons --show-keys
gpg --homedir b --list-keys

the above command shows the key as revoked in the second run.

however, if i use the following instead of the --show-keys invocation:

sed 's/^:-----/-----/' < a/openpgp-revocs.d/*.rev | gpg --homedir b --with-colons --dry-run --import-options import-show --import

then the keyring is unchanged.

dkg created this task.Jun 11 2018, 11:10 PM
dkg added a comment.Jun 12 2018, 1:00 AM

I note that --import-options show-only --import has the same effect as --show-keys -- that is, the revocation cert is imported. so the error is in the import-options code itself. I'll push a fix-T4017 branch shortly with a proposed correction.

werner claimed this task.Jun 12 2018, 8:24 AM
werner triaged this task as High priority.

Thanks for reporting and your patch. However, I used a different way to solve this bug.

dkg added a comment.Jun 12 2018, 9:05 AM

thanks for looking into this so quickly. where is your patch? i don't see it on the master branch yet.

werner closed this task as Resolved.