Page MenuHome GnuPG

show-only-fpr-mbox shows user-ids that are not valid
Closed, ResolvedPublic

Description

gpg(1) says:

show-only-fpr-mbox
       For  each  valid  user-id which also has a valid mail ad‐
       dress print only the fingerprint and the mail address.

however, it also shows invalid user IDs:

0 dkg@alice:~$ gpg --list-keys 7B96D396E6471601754BE4DB53B620D01CE0C630
pub   rsa1024 2006-01-01 [SC] [expired: 2011-06-30]
      7B96D396E6471601754BE4DB53B620D01CE0C630
uid           [ expired] Werner Koch (dist sig) <dd9jn@gnu.org>

0 dkg@alice:~$ gpg --list-options show-only-fpr-mbox --list-keys 7B96D396E6471601754BE4DB53B620D01CE0C630
7B96D396E6471601754BE4DB53B620D01CE0C630 dd9jn@gnu.org
0 dkg@alice:~$

I would expect from the documentation that the lines emitted would only be e-mail address/fingerprint pairings of fully-valid user IDs (i could imagine it doing something with user IDs with marginal validity as well, but unknown or known-invalid user IDs seem well beyond what the documentation offers).

Either the code needs to change, or the documentation needs to change to make it clearer what the intent of this feature is.

Details

Version
2.2.15

Revisions and Commits

Event Timeline

"valid user-id" means a user id which is properly bound to the key; that is the self-signature checks out.

gpg(1) says:

Validity values are also displayed for all user IDs.

[…]

show-uid-validity
       Display  the  calculated  validity of user IDs during key
       listings.  Defaults to yes.

[…]

Trust values are used to indicate ownertrust and validity of  keys  and
user IDs.  They are displayed with letters or strings:

[…]

revoked
       For validity only: the key or the user ID has been revoked.

These all seem to use the term "validity" for a user ID to mean one specific thing, and that is something other than what you're describing here.

Very few people understand the trust and validity model offered by GnuPG in part because these terms are often used ambiguously.

I've just tried to push f4dfeb9c80e184fe6215721c5c8f06dfee22ecf5 to the dkg/fix-T4507 branch with a proposed fix to the documentation that i think addresses this. Feel free to merge it.

Yes, that term is overloaded. The reason in this case is that we once replaced "trusted key" by "valid key". That term "valid" now conflicts with another older use of valid. Using "self-signed" here seems to be more confusing that just removing the (first) "valid".

werner claimed this task.