On 2013-09-19 12:23:14, Philip Jägenstedt wrote: > It looks like monkeysign doesn't care that a uid is > revoked, it signs and sends out an email anyway. > > Could probably be fixed by first cleaning the key. > > (Also need to check that monkeysign won't sign a > uid where the master key is revoked.)
This is a known issue: revoked, expired, disabled or invalid keys are
not detected by the underlying gpg library.
This is especially a problem when listing private keys because gpg, in
all its wizdom, doesn't actually provide those details in the key
listing.
You can see it for yourself here:
anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-secret-keys 4023702F
sec 1024D/4023702F 2005-03-08 [expired: 2010-03-12]
uid The Anarcat <anar...@anarcat.ath.cx>
uid The Anarcat <anar...@koumbit.org>
uid Antoine Beaupré <anto...@koumbit.org>
ssb 2048g/EB8D47BB 2005-03-08 [expires: 2010-03-12]
anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-keys 4023702F
pub 1024D/4023702F 2005-03-08 [revoked: 2005-03-11]
uid The Anarcat <anar...@anarcat.ath.cx>
uid The Anarcat <anar...@koumbit.org>
uid Antoine Beaupré <anto...@koumbit.org>
Notice how the secret key listing doesn't mention the key is revoked...
But you are right, this should be fixed.
A.
--
That's one of the remarkable things about life: it's never so bad that
it can't get worse.
- Calvin
pgpDtUWYi0aLQ.pgp
Description: PGP signature
