Page MenuHome GnuPG
Create Task
Maniphest T6399

Missing trustdb check on import of certificate
Closed, ResolvedPublic
Actions

Description

When reimporting a previously locally signed and then deleted key, the trustdb is obviously not updated:
I would expect "unknown" validity on the reimported key as it is not signed, but it remains being displayed as "full".

Question is how often this occurs outside of testing but when you test if VS-NfD conformity is reliably shown, this could shake your trust in the displayed conformity (green color in Kleopatra).
And when trustdb is finally updated triggered by some other action, the displayed conformity changes rather unexpected.

How to reproduce:

Import not certified/signed testkey:

C:\Users\vaughan>gpg --quick-sign-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F
     erzeugt: 2022-11-17  verfällt: 2024-11-17  Nutzung: SC
     Vertrauen: unbekannt     Gültigkeit: unbekannt
 Haupt-Fingerabdruck  = 3A12 118A D7F4 CBB6 FF38  C6B8 F615 AD82 F702 FA1F

     Adam Apple <Adam.Apple@example-1.org>

Dieser Schlüssel wird 2024-11-17 verfallen.

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Delete the signed testkey and import the unsigned testkey again:

C:\Users\vaughan>gpg --delete-key 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F

pub  rsa3072/F615AD82F702FA1F 2022-11-17 Adam Apple <Adam.Apple@example-1.org>

Diesen Schlüssel aus dem Schlüsselbund löschen? (j/N) y

C:\Users\vaughan>gpg --import "z:\Adam Apple_0xF702FA1F_public.asc"
gpg: Schlüssel F615AD82F702FA1F: Öffentlicher Schlüssel "Adam Apple <Adam.Apple@example-1.org>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [vollständig] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

I have to trigger a trustdb check manually to get rid of the full validity:

C:\Users\vaughan>gpg --check-trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   2  signiert:   2  Vertrauen: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Tiefe: 1  gültig:   2  signiert:   0  Vertrauen: 2-, 0q, 0n, 0m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2024-06-21

C:\Users\vaughan>gpg -k 3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
pub   rsa3072 2022-11-17 [SC] [verfällt: 2024-11-17]
      3A12118AD7F4CBB6FF38C6B8F615AD82F702FA1F
uid        [ unbekannt ] Adam Apple <Adam.Apple@example-1.org>
sub   rsa3072 2022-11-17 [E] [verfällt: 2024-11-17]

Details

Version
3.1.26

Revisions and Commits

rG GnuPG
rGa02f3cc4e870 gpg: Fix validity of re-imported keys.
rG80e442348dd8 gpg: Fix validity of re-imported keys.

Related Objects

Event Timeline

ebo created this task.Mar 2 2023, 3:39 PM
ikloecker added a project: gnupg.Mar 2 2023, 6:38 PM
werner triaged this task as Normal priority.Mar 3 2023, 10:17 AM
werner edited projects, added gnupg22, OpenPGP; removed gnupg.
werner claimed this task.Aug 25 2023, 4:05 PM
werner moved this task from Backlog to WiP on the gnupg22 board.
werner added a comment.Aug 28 2023, 5:35 PM

I am not sure about the initial state of the key. What you are doing is to sign the key with itself (self-signature). Why?
In any case, I can't replicate this. Let's talk about this next week.

werner added a commit: rG80e442348dd8: gpg: Fix validity of re-imported keys..Sep 6 2023, 12:10 PM
werner added a commit: rGa02f3cc4e870: gpg: Fix validity of re-imported keys..Sep 6 2023, 12:13 PM
werner changed the task status from Open to Testing.Sep 6 2023, 12:15 PM
werner moved this task from WiP to QA on the gnupg22 board.

Bugs goes back to 2002 where we stopped checking trust for keys without any signature. This was really useful but has this strange behaviour.

werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 6 2023, 12:15 PM
ebo closed this task as Resolved.Sep 12 2023, 3:56 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

works

ebo moved this task from QA to gnupg-2.2.42 on the gnupg22 board.Sep 22 2023, 1:20 PM
ebo edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.
werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM