"Clean" does not remove superseded subkey signatures
Open, NormalPublic

Description

NOTE: the following example data has been stripped for privacy reasons

Given

A public key with multiple signatures on both the uid and subkey(s).

$ gpg --list-sigs --with-colon some-key-id                                                                      
   tru:YYY:5                                                                                                       
   pub:-:4096:YYY:0:                                                                                               
   fpr:::::::::XXX:                                                                                                
   uid:YYY:0:                                                                                                      
   sig:YYY:2:                                                                                                      
   sig:YYY:10:                                                                                                     
   sub:-:4096:YYY:23:                                                                                              
   fpr:::::::::XXX:                                                                                                
   sig:YYY:2:                                                                                                      
   sig:YYY:10: 

Action

$ gpg --edit-key some-key-id clean save quit

Expectation

According to @dkg all superseded key signatures, on both the user id and subkeys should be removed.

Or as man gpg says

clean ... Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring.

Result

The superseded duplicate signature on the subkey is not removed:

$ gpg --list-sigs --with-colon some-key-id                                                                      
   tru:YYY:5                                                                                                       
   pub:-:4096:YYY:0:                                                                                               
   fpr:::::::::XXX:                                                                                                
   uid:YYY:0:                                                                                                                                                                                                         
   sig:YYY:10:                                                                                                     
   sub:-:4096:YYY:23:                                                                                              
   fpr:::::::::XXX:                                                                                                
   sig:YYY:2: # <--- should have been removed !!                                                                                                     
   sig:YYY:10: 

Details

Version
2.2.4 2.2.8
provka created this task.Jun 14 2018, 4:08 PM
provka created this object in space S1 Public.
dkg added a comment.Jun 14 2018, 4:56 PM

i'm having trouble just assembling the two signatures over the subkey with 2.2.8 in a single homedir. in particular, when i try to do the following with a new, clean test GNUPGHOME, then i see only one signature on the subkeys afterward:

mkdir -m 0700 test
gpg --homedir=test --no-tty --yes --batch --passphrase '' --pinentry-mode=loopback --status-file=creation --quick-gen-key 'test user' default default 2y
FPR="$(awk '($2=="KEY_CREATED") { print $4 }' < creation)" 
sleep 1 # so that the timestamps will differ
gpg --homedir=test --export > before.gpg
gpg --homedir=test --no-tty --yes --batch --passphrase '' --pinentry-mode=loopback --quick-set-expire "$FPR" 1y '*'
gpg --homedir=test --export > after.gpg
gpg --homedir=test --with-colons --list-sigs "$FPR"

And it seems this "autocleaning" happens whether i use either pubring.,kbx or pubring.gpg.

However, it's a different story when i import the certs into a different homedir:

mkdir -m 0700 staging
gpg --homedir=staging --import < before.gpg
gpg --homedir=staging --import < after.gpg
gpg --homedir=staging --with-colons --list-sigs

so now the staging homedir has both, but the test homedir only has the most recent one.

this asymmetry is very odd, and makes me worry that there's something complicated behaving poorly internally.

werner triaged this task as Normal priority.
provka changed Version from 2.2.4 to 2.2.4 2.2.8.Jun 16 2018, 2:54 PM

I re-tested this with version 2.2.8 and the same result.