Change Details

Using a certificate with certify-only primary key (with or without subkeys does not matter) as designated revoker on `gpg4win 5.0.2, gpg 2.5.18 @ win11` does not revoke the to-be-revoked certificate. The output looks not different from a working case. It works fine on `vsd 3.3.4, gpg 2.2.53 @ win10`. Note: The `invalid revocation certificate: Bad signature - rejected` line on import of the revokation certificate is also shown in vsd for C primary keys, and in gpg4win for CS primary keys, where it works. This bug is tracked here: {https://dev.gnupg.org/T8189} **To reproduce:** 1. Generate a revoker certificate with certify-only primary key 2. Generate a to-be-revoked certificate and add the revoker certificate as designated revoker 3. Generate the designated revokation certificate 4. Revoke the to-be-revoked certificate => certificate is not revoked **Output:** ``` C:\Users\g10>gpg --expert --full-gen-key gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC (sign and encrypt) *default* (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card (16) ECC and Kyber Your selection? 11 Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please select which elliptic curve you want: (1) Curve 25519 *default* (2) Curve 448 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 Your selection? Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: revoker Email address: Comment: You selected this USER-ID: "revoker" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: directory 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created gpg: revocation certificate stored as 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\24FA683E0B63234638C89A610295A74BA90D0913.rev' public and secret key created and signed. pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid revoker ``` ``` C:\Users\g10>gpg --quick-gen-key --passphrase "" --add-desig-revoker 24FA683E0B63234638C89A610295A74BA90D0913 to-be-revoked About to create a key for: "to-be-revoked" Continue? (Y/n) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: revocation certificate stored as 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\5179142150A43C4A96B64499F977A3D36D1F5C7A.rev' public and secret key created and signed. pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg --desig-revoke to-be-revoked > revokation.asc pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked To be revoked by: sec ed25519/0295A74BA90D0913 2026-03-27 revoker Create a designated revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created. ``` ``` C:\Users\g10>gpg -k gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2029-03-26 [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg -vvv --import --no-sig-cache revokation.asc gpg: using character set 'utf-8' gpg: enabled compatibility flags: gpg: armor: BEGIN PGP PUBLIC KEY BLOCK gpg: armor header: Comment: A designated revocation certificate should follow # off=0 ctb=98 tag=6 hlen=2 plen=51 :public key packet: version 4, algo 22, created 1774605497, expires 0 pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1) pkey[1]: [263 bits] keyid: F977A3D36D1F5C7A # off=53 ctb=88 tag=2 hlen=2 plen=120 :signature packet: algo 22, keyid 0295A74BA90D0913 version 4, created 1774605564, md5len 0, sigclass 0x20 digest algo 10, begin of digest 4d dc hashed subpkt 33 len 21 (issuer fpr v4 24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 29 len 1 (revocation reason 0x00 ()) subpkt 16 len 8 (issuer key ID 0295A74BA90D0913) data: [256 bits] data: [255 bits] # off=175 ctb=88 tag=2 hlen=2 plen=144 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x1f digest algo 10, begin of digest 57 1a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 12 len 22 (revocation key: c=80 a=22 f=24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 7 len 1 (not revocable) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [254 bits] # off=321 ctb=b4 tag=13 hlen=2 plen=13 :user ID packet: "to-be-revoked" # off=336 ctb=88 tag=2 hlen=2 plen=181 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x13 digest algo 10, begin of digest 57 9a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 20 len 26 (notation: manu=2,2.5+1.12,2,1) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 9 len 4 (key expires after 3y0d0h0m) hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2) hashed subpkt 34 len 1 (pref-aead-algos: 2) hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 07) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [256 bits] gpg: pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked gpg: key F977A3D36D1F5C7A: "to-be-revoked" revocation certificate added gpg: using pgp trust model gpg: key 0295A74BA90D0913: accepted as trusted key gpg: key F977A3D36D1F5C7A: accepted as trusted key gpg: key F977A3D36D1F5C7A: "to-be-revoked" 1 new signature gpg: key 0295A74BA90D0913: invalid revocation certificate: Bad signature - rejected gpg: Total number processed: 1 gpg: new signatures: 1 gpg: 2 keys processed (2 validity counts cleared) gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2029-03-26 ``` ``` C:\Users\g10>gpg -k [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ```

Using a certificate with certify-only primary key (with or without subkeys does not matter) as designated revoker on `gpg4win 5.0.2, gpg 2.5.18 @ win11` does not revoke the to-be-revoked certificate. The output looks not different from a working case. It works fine on `vsd 3.3.4, gpg 2.2.53 @ win10`. Note: The `invalid revocation certificate: Bad signature - rejected` line on import of the revokation certificate is also shown in vsd for C primary keys, and in gpg4win for CS primary keys, where it works. This bug is tracked here: {https://dev.gnupg.org/T8189} **To reproduce:** 1. Generate a revoker certificate with certify-only primary key 2. Generate a to-be-revoked certificate and add the revoker certificate as designated revoker 3. Generate the designated revokation certificate 4. Revoke the to-be-revoked certificate => certificate is not revoked **Output:** ``` C:\Users\g10>gpg --expert --full-gen-key [...] (11) ECC (set your own capabilities) Your selection? 11 [...] (S) Toggle the sign capability Your selection? s Your selection? q [...] pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid revoker ``` ``` C:\Users\g10>gpg --quick-gen-key --passphrase "" --add-desig-revoker 24FA683E0B63234638C89A610295A74BA90D0913 to-be-revoked [...] pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg --desig-revoke to-be-revoked > revokation.asc [...] Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y ``` ``` C:\Users\g10>gpg -k [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg -vvv --import --no-sig-cache revokation.asc gpg: using character set 'utf-8' gpg: enabled compatibility flags: gpg: armor: BEGIN PGP PUBLIC KEY BLOCK gpg: armor header: Comment: A designated revocation certificate should follow # off=0 ctb=98 tag=6 hlen=2 plen=51 :public key packet: version 4, algo 22, created 1774605497, expires 0 pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1) pkey[1]: [263 bits] keyid: F977A3D36D1F5C7A # off=53 ctb=88 tag=2 hlen=2 plen=120 :signature packet: algo 22, keyid 0295A74BA90D0913 version 4, created 1774605564, md5len 0, sigclass 0x20 digest algo 10, begin of digest 4d dc hashed subpkt 33 len 21 (issuer fpr v4 24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 29 len 1 (revocation reason 0x00 ()) subpkt 16 len 8 (issuer key ID 0295A74BA90D0913) data: [256 bits] data: [255 bits] # off=175 ctb=88 tag=2 hlen=2 plen=144 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x1f digest algo 10, begin of digest 57 1a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 12 len 22 (revocation key: c=80 a=22 f=24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 7 len 1 (not revocable) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [254 bits] # off=321 ctb=b4 tag=13 hlen=2 plen=13 :user ID packet: "to-be-revoked" # off=336 ctb=88 tag=2 hlen=2 plen=181 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x13 digest algo 10, begin of digest 57 9a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 20 len 26 (notation: manu=2,2.5+1.12,2,1) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 9 len 4 (key expires after 3y0d0h0m) hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2) hashed subpkt 34 len 1 (pref-aead-algos: 2) hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 07) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [256 bits] gpg: pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked gpg: key F977A3D36D1F5C7A: "to-be-revoked" revocation certificate added gpg: using pgp trust model gpg: key 0295A74BA90D0913: accepted as trusted key gpg: key F977A3D36D1F5C7A: accepted as trusted key gpg: key F977A3D36D1F5C7A: "to-be-revoked" 1 new signature gpg: key 0295A74BA90D0913: invalid revocation certificate: Bad signature - rejected gpg: Total number processed: 1 gpg: new signatures: 1 gpg: 2 keys processed (2 validity counts cleared) gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2029-03-26 ``` ``` C:\Users\g10>gpg -k [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ```

Using a certificate with certify-only primary key (with or without subkeys does not matter) as designated revoker on `gpg4win 5.0.2, gpg 2.5.18 @ win11` does not revoke the to-be-revoked certificate. The output looks not different from a working case. It works fine on `vsd 3.3.4, gpg 2.2.53 @ win10`. Note: The `invalid revocation certificate: Bad signature - rejected` line on import of the revokation certificate is also shown in vsd for C primary keys, and in gpg4win for CS primary keys, where it works. This bug is tracked here: {https://dev.gnupg.org/T8189} **To reproduce:** 1. Generate a revoker certificate with certify-only primary key 2. Generate a to-be-revoked certificate and add the revoker certificate as designated revoker 3. Generate the designated revokation certificate 4. Revoke the to-be-revoked certificate => certificate is not revoked **Output:** ``` C:\Users\g10>gpg --expert --full-gen-key gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC (sign and encrypt) *default* (10) ECC (sign only)[...] (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card (16) ECC and Kyber Your selection? 11 Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for this ECC key: Sign Certify Authenticate[...] Current allowed actions: Certify (S) Toggle the sign capability (A) Toggle the authenticate capabilityYour selection? s (Q) Finished Your selection? q Please select which elliptic curve you want: (1) Curve 25519 *default* (2) Curve 448 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 Your selection? Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: revoker Email address: Comment: You selected this USER-ID: "revoker" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: directory 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d' created gpg: revocation certificate stored as 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\24FA683E0B63234638C89A610295A74BA90D0913.rev' public and secret key created and signed.[...] pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid revoker ``` ``` C:\Users\g10>gpg --quick-gen-key --passphrase "" --add-desig-revoker 24FA683E0B63234638C89A610295A74BA90D0913 to-be-revoked About to create a key for: "to-be-revoked" Continue? (Y/n) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the[...] disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: revocation certificate stored as 'C:\\Users\\g10\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\5179142150A43C4A96B64499F977A3D36D1F5C7A.rev' public and secret key created and signed. pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg --desig-revoke to-be-revoked > revokation.asc pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked To be revoked by: sec ed25519/0295A74BA90D0913 2026-03-27 revoker Create a designated revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: >[...] Reason for revocation: No reason specified (No description given) Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created. ``` ``` C:\Users\g10>gpg -k gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2029-03-26 [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ``` ``` C:\Users\g10>gpg -vvv --import --no-sig-cache revokation.asc gpg: using character set 'utf-8' gpg: enabled compatibility flags: gpg: armor: BEGIN PGP PUBLIC KEY BLOCK gpg: armor header: Comment: A designated revocation certificate should follow # off=0 ctb=98 tag=6 hlen=2 plen=51 :public key packet: version 4, algo 22, created 1774605497, expires 0 pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1) pkey[1]: [263 bits] keyid: F977A3D36D1F5C7A # off=53 ctb=88 tag=2 hlen=2 plen=120 :signature packet: algo 22, keyid 0295A74BA90D0913 version 4, created 1774605564, md5len 0, sigclass 0x20 digest algo 10, begin of digest 4d dc hashed subpkt 33 len 21 (issuer fpr v4 24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 29 len 1 (revocation reason 0x00 ()) subpkt 16 len 8 (issuer key ID 0295A74BA90D0913) data: [256 bits] data: [255 bits] # off=175 ctb=88 tag=2 hlen=2 plen=144 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x1f digest algo 10, begin of digest 57 1a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 12 len 22 (revocation key: c=80 a=22 f=24FA683E0B63234638C89A610295A74BA90D0913) hashed subpkt 7 len 1 (not revocable) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [254 bits] # off=321 ctb=b4 tag=13 hlen=2 plen=13 :user ID packet: "to-be-revoked" # off=336 ctb=88 tag=2 hlen=2 plen=181 :signature packet: algo 22, keyid F977A3D36D1F5C7A version 4, created 1774605497, md5len 0, sigclass 0x13 digest algo 10, begin of digest 57 9a hashed subpkt 33 len 21 (issuer fpr v4 5179142150A43C4A96B64499F977A3D36D1F5C7A) hashed subpkt 2 len 4 (sig created 2026-03-27) hashed subpkt 20 len 26 (notation: manu=2,2.5+1.12,2,1) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 9 len 4 (key expires after 3y0d0h0m) hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2) hashed subpkt 34 len 1 (pref-aead-algos: 2) hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 07) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID F977A3D36D1F5C7A) data: [256 bits] data: [256 bits] gpg: pub ed25519/F977A3D36D1F5C7A 2026-03-27 to-be-revoked gpg: key F977A3D36D1F5C7A: "to-be-revoked" revocation certificate added gpg: using pgp trust model gpg: key 0295A74BA90D0913: accepted as trusted key gpg: key F977A3D36D1F5C7A: accepted as trusted key gpg: key F977A3D36D1F5C7A: "to-be-revoked" 1 new signature gpg: key 0295A74BA90D0913: invalid revocation certificate: Bad signature - rejected gpg: Total number processed: 1 gpg: new signatures: 1 gpg: 2 keys processed (2 validity counts cleared) gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2029-03-26 ``` ``` C:\Users\g10>gpg -k [keyboxd] --------- pub ed25519 2026-03-27 [C] 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] revoker pub ed25519 2026-03-27 [SC] [expires: 2029-03-26] 5179142150A43C4A96B64499F977A3D36D1F5C7A Revocable by: 24FA683E0B63234638C89A610295A74BA90D0913 uid [ultimate] to-be-revoked sub cv25519 2026-03-27 [E] 1C587BFBFADB4F14BA64D208CAA357A43DCC533D ```