--quick-sign-key offers no way to override a current certification
Open, NormalPublic

Description

If Alice has already certified Bob's key, but she later decides that she wants to adjust the certification (e.g. with a notation, by adding an expiration, or by moving from an exportable to a non-exportable certification), she cannot do that with gpg --quick-sign-key, because it reports something like:

"Bob <bob@example.com>" was already signed by key 1234567890123456

I note that if the existing certification is a non-exportable certification, and the new certification *is* exportable, then gpg --quick-sign-key will actually make the new certification, and drop the old one. That's good! but it doesn't help if the user wants to go the other direction (exportable to non-exportable), or if they want to add a notation with --cert-notation

I also see no way to set an certification expiration using --quick-sign-key at all, but perhaps that's a different issue.

Details

Version
2.2.16
dkg created this task.Tue, Jun 25, 5:52 PM
werner triaged this task as Normal priority.

For the record in my original message I asked about adding self-signatures.

From what I can see it seems --quick-sign-key could be used for that purpose but it looks like the operation fails because of the issue described by @dkg :

$ gpg --set-notation x@y.com=a --quick-sign-key FB66ACD7A3AB75E513C0A07EC9F3E75D8AEC54C3
"Testington <test@test>" was already signed by key C9F3E75D8AEC54C3
Nothing to sign with key C9F3E75D8AEC54C3
gpg: Key not changed so no update needed.