Using a certificate with certify-only primary key (with or without subkeys does not matter) as designated revoker on gpg4win 5.0.2, gpg 2.5.18 @ win11 does not revoke the to-be-revoked certificate. The output looks not different from a working case.
It works fine on vsd 3.3.4, gpg 2.2.53 @ win10.
Note: The invalid revocation certificate: Bad signature - rejected line on import of the revokation certificate is also shown in vsd for C primary keys, and in gpg4win for CS primary keys, where it works. This bug is tracked here: T8189: GnuPG: Bad signature on import of designated revokation certificate
To reproduce:
- Generate a revoker certificate with certify-only primary key
- Generate a to-be-revoked certificate and add the revoker certificate as designated revoker
- Generate the designated revokation certificate
- Revoke the to-be-revoked certificate => certificate is not revoked
Output:
C:\Users\g10>gpg --expert --full-gen-key
[...]
(11) ECC (set your own capabilities)
Your selection? 11
[...]
(S) Toggle the sign capability
Your selection? s
Your selection? q
[...]
pub ed25519 2026-03-27 [C]
24FA683E0B63234638C89A610295A74BA90D0913
uid revokerC:\Users\g10>gpg --quick-gen-key --passphrase "" --add-desig-revoker 24FA683E0B63234638C89A610295A74BA90D0913 to-be-revoked
[...]
pub ed25519 2026-03-27 [SC] [expires: 2029-03-26]
5179142150A43C4A96B64499F977A3D36D1F5C7A
Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913
uid to-be-revoked
sub cv25519 2026-03-27 [E]
1C587BFBFADB4F14BA64D208CAA357A43DCC533DC:\Users\g10>gpg --desig-revoke to-be-revoked > revokation.asc [...] Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y
C:\Users\g10>gpg -k
[keyboxd]
---------
pub ed25519 2026-03-27 [C]
24FA683E0B63234638C89A610295A74BA90D0913
uid [ultimate] revoker
pub ed25519 2026-03-27 [SC] [expires: 2029-03-26]
5179142150A43C4A96B64499F977A3D36D1F5C7A
Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913
uid [ultimate] to-be-revoked
sub cv25519 2026-03-27 [E]
1C587BFBFADB4F14BA64D208CAA357A43DCC533DC:\Users\g10>gpg -vvv --import --no-sig-cache revokation.asc
gpg: using character set 'utf-8'
gpg: enabled compatibility flags:
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Comment: A designated revocation certificate should follow
# off=0 ctb=98 tag=6 hlen=2 plen=51
:public key packet:
version 4, algo 22, created 1774605497, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
keyid: F977A3D36D1F5C7A
# off=53 ctb=88 tag=2 hlen=2 plen=120
:signature packet: algo 22, keyid 0295A74BA90D0913
version 4, created 1774605564, md5len 0, sigclass 0x20
digest algo 10, begin of digest 4d dc
hashed subpkt 33 len 21 (issuer fpr v4 24FA683E0B63234638C89A610295A74BA90D0913)
hashed subpkt 2 len 4 (sig created 2026-03-27)
hashed subpkt 29 len 1 (revocation reason 0x00 ())
subpkt 16 len 8 (issuer key ID 0295A74BA90D0913)
data: [256 bits]
data: [255 bits]
# off=175 ctb=88 tag=2 hlen=2 plen=144
:signature packet: algo 22, keyid F977A3D36D1F5C7A
version 4, created 1774605497, md5len 0, sigclass 0x1f
digest algo 10, begin of digest 57 1a
hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A)
hashed subpkt 2 len 4 (sig created 2026-03-27)
hashed subpkt 12 len 22 (revocation key: c=80 a=22 f=24FA683E0B63234638C89A610295A74BA90D0913)
hashed subpkt 7 len 1 (not revocable)
subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A)
data: [256 bits]
data: [254 bits]
# off=321 ctb=b4 tag=13 hlen=2 plen=13
:user ID packet: "to-be-revoked"
# off=336 ctb=88 tag=2 hlen=2 plen=181
:signature packet: algo 22, keyid F977A3D36D1F5C7A
version 4, created 1774605497, md5len 0, sigclass 0x13
digest algo 10, begin of digest 57 9a
hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A)
hashed subpkt 2 len 4 (sig created 2026-03-27)
hashed subpkt 20 len 26 (notation: manu=2,2.5+1.12,2,1)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 9 len 4 (key expires after 3y0d0h0m)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 34 len 1 (pref-aead-algos: 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 07)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A)
data: [256 bits]
data: [256 bits]
gpg: pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked
gpg: key F977A3D36D1F5C7A: "to-be-revoked" revocation certificate added
gpg: using pgp trust model
gpg: key 0295A74BA90D0913: accepted as trusted key
gpg: key F977A3D36D1F5C7A: accepted as trusted key
gpg: key F977A3D36D1F5C7A: "to-be-revoked" 1 new signature
gpg: key 0295A74BA90D0913: invalid revocation certificate: Bad signature - rejected
gpg: Total number processed: 1
gpg: new signatures: 1
gpg: 2 keys processed (2 validity counts cleared)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2029-03-26C:\Users\g10>gpg -k
[keyboxd]
---------
pub ed25519 2026-03-27 [C]
24FA683E0B63234638C89A610295A74BA90D0913
uid [ultimate] revoker
pub ed25519 2026-03-27 [SC] [expires: 2029-03-26]
5179142150A43C4A96B64499F977A3D36D1F5C7A
Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913
uid [ultimate] to-be-revoked
sub cv25519 2026-03-27 [E]
1C587BFBFADB4F14BA64D208CAA357A43DCC533D