Page MenuHome GnuPG

--quick-sign-key offers no way to override a current certification
Closed, ResolvedPublic


If Alice has already certified Bob's key, but she later decides that she wants to adjust the certification (e.g. with a notation, by adding an expiration, or by moving from an exportable to a non-exportable certification), she cannot do that with gpg --quick-sign-key, because it reports something like:

"Bob <>" was already signed by key 1234567890123456

I note that if the existing certification is a non-exportable certification, and the new certification *is* exportable, then gpg --quick-sign-key will actually make the new certification, and drop the old one. That's good! but it doesn't help if the user wants to go the other direction (exportable to non-exportable), or if they want to add a notation with --cert-notation

I also see no way to set an certification expiration using --quick-sign-key at all, but perhaps that's a different issue.



Event Timeline

werner triaged this task as Normal priority.Jun 26 2019, 7:53 AM
werner edited projects, added Feature Request, gnupg; removed Bug Report, gnupg (gpg22).

For the record in my original message I asked about adding self-signatures.

From what I can see it seems --quick-sign-key could be used for that purpose but it looks like the operation fails because of the issue described by @dkg :

$ gpg --set-notation --quick-sign-key FB66ACD7A3AB75E513C0A07EC9F3E75D8AEC54C3
"Testington <test@test>" was already signed by key C9F3E75D8AEC54C3
Nothing to sign with key C9F3E75D8AEC54C3
gpg: Key not changed so no update needed.

There is another problem: Even if the first certification was revoked, trying to add a new certification with --quick-sign-key fails because '"user id" was already signed by key ...'

werner added a subscriber: werner.

Indeed we need to fix/enhance this to make testing of --quick-revoke-sig easier. See over at T5093

werner raised the priority of this task from Normal to High.Jan 12 2021, 8:04 AM
werner added a project: Restricted Project.
werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 12 2021, 11:05 AM
werner claimed this task.

New option --force-sign-key for 2.2.28 and 2.3. Also added support to gpgme.