gpg --with-colons --show-keys does not show revocation certificates
Closed, ResolvedPublic


when i run gpg --with-colons --show-keys on a revocation certificate, there is no output, but i get these warnings on logger-fd:

gpg: key A57E4460FD08E224: no public key - can't apply revocation certificate
gpg: Total number processed: 1

I was hoping for output on stdout like the following:

rev:!::1:A57E4460FD08E224:1528750759::::this is a test:20x::473003A5FBBB54BC4C717B7CA57E4460FD08E224:::10:

where the revocation signature would show and be interpretable.

I've also tried:

gpg --dry-run --with-colons --import-options import-show --with-sig-list --import

and that also fails in the same way as --show-keys: two lines to logger-fd and nothing to stdout.

note: T4017 points out that --show-keys on a revocation certificate isn't actually --dry-run. this is a distinct problem from the issue reported here.

dkg created this task.Jun 11 2018, 11:34 PM
dkg created this object in space S1 Public.
dkg updated the task description. (Show Details)Jun 12 2018, 1:11 AM
werner triaged this task as High priority.Jun 12 2018, 8:22 AM
werner claimed this task.Jun 12 2018, 9:02 AM
werner edited projects, added gnupg; removed gnupg (gpg14).
werner added a subscriber: werner.

That will be a bit of work. We can't list a standalone key yet because the the key listing code expects a public or secret key as first packet. Further it would be advisable to insert a dummy "pub" key record before the "rev" record because the advise as always been to use "pub" or "sec" as start of a key keyblock.

dkg added a comment.EditedJun 12 2018, 9:12 AM

Revocation certificates consist of *only* the revocation packet, right? Claiming that the revocation cert contains more than the revocation packet (when it doesn't) seems more troubling from an API perspective than just telling people to expect a single rev: line if they are looking at a revocation certificate.

a fix for this is necessary for me to complete the transition for enigmail to avoid having to use OpenPGP.js, btw, so understanding the plan for how it is going to be fixed would be really helpful to me.

As long as we don't check the signature we don't need the pubkey. That would make it actually easier becuase we have only one case and not 3 or more (bad signature, no pubkey, etc).

Do you really see a problem with first printing a dummy "pub" line? That would make the output format consistent and avoid the question whether a "rev" record is stand-alon or part of the last key.

dkg added a comment.EditedJun 12 2018, 3:47 PM

By "dummy pub line" I think you're proposing output that looks something like this instead of just the rev: line.:

rev:!::1:A57E4460FD08E224:1528750759::::this is a test:20x::473003A5FBBB54BC4C717B7CA57E4460FD08E224:::10:

Is that right?

I have three main concerns with printing a dummy pub: line:

  • it might imply to the user that if they import this revocation certificate into a keyring they'll also get a copy of the public key packet. A revocation certificate that contains both the pubkey packet and the revocation self-sig might be a nice thing to have in some contexts (e.g. when you have no copy of the pubkey in the first place), and with a dummy pub: line there's no clear way to distinguish between that case and the current case of the simple revsig-only certificate.
  • The only thing we can reliably populate is the algorithm and the key ID, right? how would we populate the other fields of the pub: line safely? If we don't have a copy of the pubkey packet itself, then we're left to guess at the status of the key, creation date, expiration date, usage flags, key size (for RSA/DSA), etc. The --with-colons format has no way to indicate "unknown".
  • if the user has set --with-fingerprint or --with-keygrip, and we don't have the primary key, we have no principled way of generating the fpr: or grp: lines. so this leads to a situation where you have a pub: line but no fpr: or grp: lines even though they've been explicitly requested. So there's still a special corner case scenario introduced.

If we're introducing a new corner case scenario it seems simpler to just say "revocation certificates may appear as a single rev: line without a preceding pub:." because it avoids these other questions.

If you don't think those are serious concerns, or if there's some way to clearly indicate that it's a dummy pub: line and that the other shift in expectations are not likely to cause problems, then i'm open to being convinced otherwise.

dkg added a comment.Jun 13 2018, 12:16 AM

can i get a confirmation that the options you're considering for --with-colons --show-keys when confronted with a revocation certificate will be either:

  • the rev: line on its own, or
  • a dummy pub: line followed by the rev: line?

or is there a third option?

What about another record type for standalone revocations, something line "rev0" or "revx"? This would solve the problem on how to distinguish merged revocation signatures (ie with a preceding "pub") from standalone revocations.

dkg added a comment.Jun 13 2018, 2:49 PM

thus far every packet type has been a three-letter string, right? I'm looking at "Field 1" in doc/DETAILS. adding a 4-letter packet type seems like it could be trouble if someone has done the dumb thing of assuming the field is fixed-length.

how about rvc: for "standalone revocation certificate" ? would the fields be the same as they are for rev: ?

dkg added a comment.Jun 14 2018, 2:26 PM

can you let me know what you're planning so i can plan my work on enigmail?

Although "certificate" is used for OpenPGP revocations, it is technically a signature.

Thus I would go for "rvs" because this fits to the "rvk" (revocation key). Fields are the same as with "rev". If something is missing the field will be empty.

dkg added a comment.Jun 14 2018, 4:11 PM

thanks, that works for me. I look forward to seeing the patches :)

I implemented it in master and if you agree I will backport it to stable. This is the new output:

$ sed 's/^://' openpgp-revocs.d/61B60AF9FEEB07441FF450923CA56FA24AC0403F.rev | ../g10/gpg --show-keys --with-colons

If the key is not in the local keyring you will see a '?' or nothing in the second field.

werner closed this task as Resolved.Jul 4 2018, 9:13 AM

Will be released with 2.2.9