Page MenuHome GnuPG

Missing trustdb check on import of certificate
Closed, ResolvedPublic

Description

When reimporting a previously locally signed and then deleted key, the trustdb is obviously not updated:
I would expect "unknown" validity on the reimported key as it is not signed, but it remains being displayed as "full".

Question is how often this occurs outside of testing but when you test if VS-NfD conformity is reliably shown, this could shake your trust in the displayed conformity (green color in Kleopatra).
And when trustdb is finally updated triggered by some other action, the displayed conformity changes rather unexpected.

How to reproduce:

Import not certified/signed testkey:

C:\Users\vaughan>gpg --quick-sign-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F
     erzeugt: 2022-11-17  verfällt: 2024-11-17  Nutzung: SC
     Vertrauen: unbekannt     Gültigkeit: unbekannt
 Haupt-Fingerabdruck  = 3A12 118A D7F4 CBB6 FF38  C6B8 F615 AD82 F702 FA1F

     Adam Apple <Adam.Apple@example-1.org>

Dieser Schlüssel wird 2024-11-17 verfallen.

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Delete the signed testkey and import the unsigned testkey again:

C:\Users\vaughan>gpg --delete-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F 2022-11-17 Adam Apple <Adam.Apple@example-1.org>

Diesen Schlüssel aus dem Schlüsselbund löschen? (j/N) y

C:\Users\vaughan>gpg --import "z:\Adam Apple_0xF702FA1F_public.asc"
gpg: Schlüssel F615AD82F702FA1F: Öffentlicher Schlüssel "Adam Apple <Adam.Apple@example-1.org>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

I have to trigger a trustdb check manually to get rid of the full validity:

C:\Users\vaughan>gpg --check-trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   2  signiert:   2  Vertrauen: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Tiefe: 1  gültig:   2  signiert:   0  Vertrauen: 2-, 0q, 0n, 0m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-06-21

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [ unbekannt ] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Details

Version
3.1.26

Event Timeline

werner triaged this task as Normal priority.Mar 3 2023, 10:17 AM
werner edited projects, added gnupg22, OpenPGP; removed gnupg.
werner moved this task from Backlog to WiP on the gnupg22 board.

I am not sure about the initial state of the key. What you are doing is to sign the key with itself (self-signature). Why?
In any case, I can't replicate this. Let's talk about this next week.

werner changed the task status from Open to Testing.Sep 6 2023, 12:15 PM
werner moved this task from WiP to QA on the gnupg22 board.

Bugs goes back to 2002 where we stopped checking trust for keys without any signature. This was really useful but has this strange behaviour.

werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 6 2023, 12:15 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

works

ebo edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.