Page MenuHome GnuPG
Create Task
Maniphest T7133

Add feature to load designated revoker from LDAP
Open, HighPublic
Actions

Description

There is an option in gpg since February 2023 to configure a designated revoker for all new keys (--add-desig-revoker).

We should add another feature: Iff this option is configured, gpg shall try to load the requested key from LDAP in the same manner as it does for a trusted-key.

Revisions and Commits

rG GnuPG
rG753175c74e9d gpg: Autoload designated revoker key and ADSK when needed.
rG330354972a27 gpg: Autoload designated revoker key and ADSK when needed.
rG465ea9116d1f gpg: Autoload designated revoker key and ADSK when needed.

Related Objects

Event Timeline

ebo created this task.May 23 2024, 10:19 AM
ebo mentioned this in T6881: Kleopatra: Make designated revoker configurable for new keys.May 23 2024, 10:23 AM
werner triaged this task as Normal priority.May 23 2024, 12:01 PM
werner added a commit: rG465ea9116d1f: gpg: Autoload designated revoker key and ADSK when needed..Jun 5 2024, 10:34 AM
werner added a commit: rG330354972a27: gpg: Autoload designated revoker key and ADSK when needed..Jul 1 2024, 3:13 PM
ebo raised the priority of this task from Normal to Needs Triage.Oct 9 2024, 10:36 AM
werner added a comment.Oct 10 2024, 9:47 AM

I do not want to do that for 2.2.45 (T7255) because we want to do that release RSN

werner triaged this task as High priority.Nov 4 2024, 12:54 PM
alexk added a subscriber: alexk.Aug 4 2025, 11:49 AM
werner edited projects, added vsd34; removed vsd33.Nov 14 2025, 12:45 PM
werner added a project: backport.Nov 18 2025, 8:01 PM
werner added a commit: rG753175c74e9d: gpg: Autoload designated revoker key and ADSK when needed..Feb 13 2026, 3:34 PM
werner changed the task status from Open to Testing.Feb 13 2026, 3:35 PM
werner moved this task from Backlog to WiP on the gnupg22 board.
werner moved this task from Backlog to WIP on the vsd34 board.
werner mentioned this in T7960: Release GnuPG 2.2.53.Mar 12 2026, 5:08 PM
ebo edited projects, added vsd33; removed vsd34.Thu, Apr 16, 2:18 PM
ebo moved this task from WiP to QA on the gnupg22 board.
ebo moved this task from Backlog to QA on the vsd33 board.
ebo moved this task from QA to vsd-3.3.6 on the vsd33 board.
ebo edited projects, added vsd33 (vsd-3.3.6); removed vsd33.
ebo edited projects, added gnupg22 (gnupg-2.2.53); removed gnupg22.Thu, Apr 16, 3:05 PM
timegrid changed the task status from Testing to Open.EditedThu, Apr 16, 4:51 PM
timegrid added a subscriber: timegrid.

Do I understand this correctly, that on CLI key generation the public key of the designated revoker should be fetched automatically?

On vsd-3.3.7-beta90.9 @ win10 this does not work:

>gpg -vvv --add-desig-revoker F2610788330B5FED333A62841600B31C4D9DAB34 --quick-gen-key "to be revoked"
[...]
Continue? (Y/n)
gpg: invalid revocation key 'F2610788330B5FED333A62841600B31C4D9DAB34': No public key
>gpg -vvv --add-desig-revoker F2610788330B5FED333A62841600B31C4D9DAB34 --full-gen-key
[...]
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: invalid revocation key 'F2610788330B5FED333A62841600B31C4D9DAB34': No public key

The cert is found on LDAP though:

>gpg --search-keys F2610788330B5FED333A62841600B31C4D9DAB34                                                 [...]
(1)     designated revoker <designated.revoker@gnupg.test>                                                                        3072 bit RSA key 1600B31C4D9DAB34, created: 2026-04-16, expires: 2029-04-16
timegrid changed the task status from Open to Testing.Thu, Apr 16, 4:51 PM
timegrid moved this task from gnupg-2.2.53 to WiP on the gnupg22 board.
timegrid edited projects, added gnupg22; removed gnupg22 (gnupg-2.2.53).
timegrid changed the task status from Testing to Open.Thu, Apr 16, 5:00 PM