Missing trustdb check on import of certificate
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• ebo
	Mar 2 2023, 3:39 PM

Description

When reimporting a previously locally signed and then deleted key, the trustdb is obviously not updated:
I would expect "unknown" validity on the reimported key as it is not signed, but it remains being displayed as "full".

Question is how often this occurs outside of testing but when you test if VS-NfD conformity is reliably shown, this could shake your trust in the displayed conformity (green color in Kleopatra).
And when trustdb is finally updated triggered by some other action, the displayed conformity changes rather unexpected.

How to reproduce:

Import not certified/signed testkey:

C:\Users\vaughan>gpg --quick-sign-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F
     erzeugt: 2022-11-17  verfällt: 2024-11-17  Nutzung: SC
     Vertrauen: unbekannt     Gültigkeit: unbekannt
 Haupt-Fingerabdruck  = 3A12 118A D7F4 CBB6 FF38  C6B8 F615 AD82 F702 FA1F

     Adam Apple <Adam.Apple@example-1.org>

Dieser Schlüssel wird 2024-11-17 verfallen.

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Delete the signed testkey and import the unsigned testkey again:

C:\Users\vaughan>gpg --delete-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F 2022-11-17 Adam Apple <Adam.Apple@example-1.org>

Diesen Schlüssel aus dem Schlüsselbund löschen? (j/N) y

C:\Users\vaughan>gpg --import "z:\Adam Apple_0xF702FA1F_public.asc"
gpg: Schlüssel F615AD82F702FA1F: Öffentlicher Schlüssel "Adam Apple <Adam.Apple@example-1.org>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

I have to trigger a trustdb check manually to get rid of the full validity:

C:\Users\vaughan>gpg --check-trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   2  signiert:   2  Vertrauen: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Tiefe: 1  gültig:   2  signiert:   0  Vertrauen: 2-, 0q, 0n, 0m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-06-21

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [ unbekannt ] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Details

Version: 3.1.26

Revisions and Commits

rG GnuPG
	rGa02f3cc4e870 gpg: Fix validity of re-imported keys.
	rG80e442348dd8 gpg: Fix validity of re-imported keys.

Related Objects

Mentioned In: T7200: Trustdb not updated on import of extended certificate
T7189: Release GnuPG 2.5.0
T6578: Release GnuPG 2.4.4

Event Timeline

• ebo created this task.Mar 2 2023, 3:39 PM

• ikloecker added a project: gnupg.Mar 2 2023, 6:38 PM

• werner triaged this task as Normal priority.Mar 3 2023, 10:17 AM

• werner edited projects, added gnupg22, OpenPGP; removed gnupg.

• werner claimed this task.Aug 25 2023, 4:05 PM

• werner moved this task from Backlog to WiP on the gnupg22 board.

I am not sure about the initial state of the key. What you are doing is to sign the key with itself (self-signature). Why?
In any case, I can't replicate this. Let's talk about this next week.

• werner added a commit: rG80e442348dd8: gpg: Fix validity of re-imported keys..Sep 6 2023, 12:10 PM

• werner added a commit: rGa02f3cc4e870: gpg: Fix validity of re-imported keys..Sep 6 2023, 12:13 PM