Page MenuHome GnuPG
Create Task
Maniphest T4584

--quick-sign-key offers no way to override a current certification
Closed, ResolvedPublic
Actions

Description

If Alice has already certified Bob's key, but she later decides that she wants to adjust the certification (e.g. with a notation, by adding an expiration, or by moving from an exportable to a non-exportable certification), she cannot do that with gpg --quick-sign-key, because it reports something like:

"Bob <bob@example.com>" was already signed by key 1234567890123456

I note that if the existing certification is a non-exportable certification, and the new certification *is* exportable, then gpg --quick-sign-key will actually make the new certification, and drop the old one. That's good! but it doesn't help if the user wants to go the other direction (exportable to non-exportable), or if they want to add a notation with --cert-notation

I also see no way to set an certification expiration using --quick-sign-key at all, but perhaps that's a different issue.

Details

Version
2.2.16

Revisions and Commits

rG GnuPG
rG87d7b7e07565 gpg: New option --force-sign-key
rGfe02ef04500c gpg: New option --force-sign-key
rM GPGME
rM0821e2b1495e core: New flag GPGME_KEYSIGN_FORCE.

Related Objects
Search...

Event Timeline

dkg created this task.Jun 25 2019, 5:52 PM
wiktor-k added a subscriber: wiktor-k.Jun 25 2019, 9:43 PM
werner triaged this task as Normal priority.Jun 26 2019, 7:53 AM
werner edited projects, added Feature Request, gnupg; removed Bug Report, gnupg (gpg22).
wiktor-k added a comment.Jun 26 2019, 11:12 AM

For the record in my original message I asked about adding self-signatures.

From what I can see it seems --quick-sign-key could be used for that purpose but it looks like the operation fails because of the issue described by @dkg :

$ gpg --set-notation x@y.com=a --quick-sign-key FB66ACD7A3AB75E513C0A07EC9F3E75D8AEC54C3
"Testington <test@test>" was already signed by key C9F3E75D8AEC54C3
Nothing to sign with key C9F3E75D8AEC54C3
gpg: Key not changed so no update needed.
ikloecker added a subscriber: ikloecker.Oct 29 2020, 12:31 PM

There is another problem: Even if the first certification was revoked, trying to add a new certification with --quick-sign-key fails because '"user id" was already signed by key ...'

ikloecker mentioned this in T5093: GnuPG: Add quick-revsig.Oct 29 2020, 12:58 PM
werner edited projects, added gnupg (gpg22); removed gnupg.Oct 29 2020, 4:39 PM
werner added a subscriber: werner.

Indeed we need to fix/enhance this to make testing of --quick-revoke-sig easier. See over at T5093

werner added a parent task: T5093: GnuPG: Add quick-revsig.Oct 29 2020, 4:40 PM
werner raised the priority of this task from Normal to High.Jan 12 2021, 8:04 AM
werner added a project: Restricted Project.
werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 12 2021, 11:05 AM
werner added a commit: rGfe02ef04500c: gpg: New option --force-sign-key.Mar 11 2021, 11:27 AM
werner added a commit: rG87d7b7e07565: gpg: New option --force-sign-key.Mar 11 2021, 11:36 AM
werner closed this task as Resolved.Mar 11 2021, 11:54 AM
werner claimed this task.

New option --force-sign-key for 2.2.28 and 2.3. Also added support to gpgme.

werner added a commit: rM0821e2b1495e: core: New flag GPGME_KEYSIGN_FORCE..Mar 11 2021, 12:25 PM
werner mentioned this in T5343: Release GnuPG 2.3.0.Apr 7 2021, 9:09 PM
werner mentioned this in T5482: Release GnuPG 2.2.28.Jun 10 2021, 5:42 PM