Report forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Thu, 19 Sep 2013 16:24:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Philip Jägenstedt <philip@foolip.org>:
New Bug report received and forwarded. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Thu, 19 Sep 2013 16:24:11 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: monkeysign should not sign revoked uids
Date: Thu, 19 Sep 2013 18:23:14 +0200
Package: monkeysign
Version: 1.0
Severity: important
It looks like monkeysign doesn't care that a uid is
revoked, it signs and sends out an email anyway.
Could probably be fixed by first cleaning the key.
(Also need to check that monkeysign won't sign a
uid where the master key is revoked.)
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages monkeysign depends on:
ii gnupg 1.4.14-1
ii python 2.7.5-4
Versions of packages monkeysign recommends:
ii python-gtk2 2.24.0-3+b1
ii python-qrencode 1.01-2+b1
ii python-zbar 0.10+doc-9+b1
ii python-zbarpygtk 0.10+doc-9+b1
monkeysign suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Sat, 05 Oct 2013 20:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Sat, 05 Oct 2013 20:30:04 GMT) (full text, mbox, link).
On 2013-09-19 12:23:14, Philip Jägenstedt wrote:
> It looks like monkeysign doesn't care that a uid is
> revoked, it signs and sends out an email anyway.
>
> Could probably be fixed by first cleaning the key.
>
> (Also need to check that monkeysign won't sign a
> uid where the master key is revoked.)
This is a known issue: revoked, expired, disabled or invalid keys are
not detected by the underlying gpg library.
This is especially a problem when listing private keys because gpg, in
all its wizdom, doesn't actually provide those details in the key
listing.
You can see it for yourself here:
anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-secret-keys 4023702F
sec 1024D/4023702F 2005-03-08 [expired: 2010-03-12]
uid The Anarcat <anarcat@anarcat.ath.cx>
uid The Anarcat <anarcat@koumbit.org>
uid Antoine Beaupré <antoine@koumbit.org>
ssb 2048g/EB8D47BB 2005-03-08 [expires: 2010-03-12]
anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-keys 4023702F
pub 1024D/4023702F 2005-03-08 [revoked: 2005-03-11]
uid The Anarcat <anarcat@anarcat.ath.cx>
uid The Anarcat <anarcat@koumbit.org>
uid Antoine Beaupré <antoine@koumbit.org>
Notice how the secret key listing doesn't mention the key is revoked...
But you are right, this should be fixed.
A.
--
That's one of the remarkable things about life: it's never so bad that
it can't get worse.
- Calvin
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Wed, 16 Oct 2013 19:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Philip Jägenstedt <philip@foolip.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Wed, 16 Oct 2013 19:30:05 GMT) (full text, mbox, link).
On Sat, 2013-10-05 at 16:27 -0400, Antoine Beaupré wrote:
> On 2013-09-19 12:23:14, Philip Jägenstedt wrote:
> > It looks like monkeysign doesn't care that a uid is
> > revoked, it signs and sends out an email anyway.
> >
> > Could probably be fixed by first cleaning the key.
> >
> > (Also need to check that monkeysign won't sign a
> > uid where the master key is revoked.)
>
> This is a known issue: revoked, expired, disabled or invalid keys are
> not detected by the underlying gpg library.
>
> This is especially a problem when listing private keys because gpg, in
> all its wizdom, doesn't actually provide those details in the key
> listing.
>
> You can see it for yourself here:
>
> anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-secret-keys 4023702F
> sec 1024D/4023702F 2005-03-08 [expired: 2010-03-12]
> uid The Anarcat <anarcat@anarcat.ath.cx>
> uid The Anarcat <anarcat@koumbit.org>
> uid Antoine Beaupré <antoine@koumbit.org>
> ssb 2048g/EB8D47BB 2005-03-08 [expires: 2010-03-12]
>
> anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-keys 4023702F
> pub 1024D/4023702F 2005-03-08 [revoked: 2005-03-11]
> uid The Anarcat <anarcat@anarcat.ath.cx>
> uid The Anarcat <anarcat@koumbit.org>
> uid Antoine Beaupré <antoine@koumbit.org>
>
> Notice how the secret key listing doesn't mention the key is revoked...
>
> But you are right, this should be fixed.
I looks to me --with-colons will show both revocation of the public keys
and uids, e.g. here's my old revoked key:
pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt
<philip@foolip.org>::sca:
uid:r::::2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip
Jägenstedt <philipj@opera.com>:
sub:r:1024:16:2D587BA5340611CA:2006-08-25::::::e:
It's true that --list-secret-keys --with-colons doesn't show which uids
are revoked, but I don't think that's relevant when trying to determine
(programatically) whether or not the key/uid is revoked/expired.
Philip
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Wed, 16 Oct 2013 19:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Wed, 16 Oct 2013 19:45:11 GMT) (full text, mbox, link).
On 2013-10-16 15:28:46, Philip Jägenstedt wrote:
> I looks to me --with-colons will show both revocation of the public keys
> and uids, e.g. here's my old revoked key:
>
> pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt
> <philip@foolip.org>::sca:
> uid:r::::2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip
> Jägenstedt <philipj@opera.com>:
> sub:r:1024:16:2D587BA5340611CA:2006-08-25::::::e:
That looks like the --list-keys output, not --list-secret-keys.
> It's true that --list-secret-keys --with-colons doesn't show which uids
> are revoked, but I don't think that's relevant when trying to determine
> (programatically) whether or not the key/uid is revoked/expired.
So yes, it's possible to extract that information, but that would
involve re-running --list-keys for every secret key imported, really
annoying.
A.
--
Semantics is the gravity of abstraction.
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Wed, 16 Oct 2013 19:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Philip Jägenstedt <philip@foolip.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Wed, 16 Oct 2013 19:51:09 GMT) (full text, mbox, link).
On Wed, 2013-10-16 at 15:44 -0400, Antoine Beaupré wrote:
> On 2013-10-16 15:28:46, Philip Jägenstedt wrote:
> > I looks to me --with-colons will show both revocation of the public keys
> > and uids, e.g. here's my old revoked key:
> >
> > pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt
> > <philip@foolip.org>::sca:
> > uid:r::::2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip
> > Jägenstedt <philipj@opera.com>:
> > sub:r:1024:16:2D587BA5340611CA:2006-08-25::::::e:
>
> That looks like the --list-keys output, not --list-secret-keys.
Indeed it is.
> > It's true that --list-secret-keys --with-colons doesn't show which uids
> > are revoked, but I don't think that's relevant when trying to determine
> > (programatically) whether or not the key/uid is revoked/expired.
>
> So yes, it's possible to extract that information, but that would
> involve re-running --list-keys for every secret key imported, really
> annoying.
I don't understand, why is --list-secret-keys involved at all when
inspecting the key you're signing? Signing your own keys using
monkeysign sounds a bit weird, is that supported?
Philip
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Wed, 16 Oct 2013 20:00:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Wed, 16 Oct 2013 20:00:09 GMT) (full text, mbox, link).
On 2013-10-16 15:49:29, Philip Jägenstedt wrote:
> On Wed, 2013-10-16 at 15:44 -0400, Antoine Beaupré wrote:
>> On 2013-10-16 15:28:46, Philip Jägenstedt wrote:
>> > I looks to me --with-colons will show both revocation of the public keys
>> > and uids, e.g. here's my old revoked key:
>> >
>> > pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt
>> > <philip@foolip.org>::sca:
>> > uid:r::::2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip
>> > Jägenstedt <philipj@opera.com>:
>> > sub:r:1024:16:2D587BA5340611CA:2006-08-25::::::e:
>>
>> That looks like the --list-keys output, not --list-secret-keys.
>
> Indeed it is.
>
>> > It's true that --list-secret-keys --with-colons doesn't show which uids
>> > are revoked, but I don't think that's relevant when trying to determine
>> > (programatically) whether or not the key/uid is revoked/expired.
>>
>> So yes, it's possible to extract that information, but that would
>> involve re-running --list-keys for every secret key imported, really
>> annoying.
>
> I don't understand, why is --list-secret-keys involved at all when
> inspecting the key you're signing? Signing your own keys using
> monkeysign sounds a bit weird, is that supported?
Oh, wait - I was confused by another unrelated issue: monkeysign allows
you to sign keys *with* a revoked secret key...
So yes, you are right...
A.
--
Le péché est né avant la vertu, comme le moteur avant le frein.
- Jean-Paul Sartre
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Tue, 19 Jul 2016 21:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jerome Charaoui <jerome@riseup.net>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Tue, 19 Jul 2016 21:03:04 GMT) (full text, mbox, link).
tags patch
thanks
Please review the attached patches fixing the two issues mentioned in
this thread:
* Remove revoked uids from keys before processing
* Refuse to sign on a revoked primary key
Thanks!
-- Jerome
Added tag(s) patch.
Request was from Jerome Charaoui <jerome@riseup.net>
to control@bugs.debian.org.
(Tue, 19 Jul 2016 21:12:28 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#723763; Package monkeysign.
(Mon, 01 Aug 2016 22:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list.
(Mon, 01 Aug 2016 22:03:03 GMT) (full text, mbox, link).
Subject: Re: Bug#723763: monkeysign should not sign revoked uids
Date: Mon, 01 Aug 2016 17:53:11 -0400
Control: tags -1 +moreinfo
Could you provide unit tests coverage for this and verify that the tests
pass after the patch is applied?
Thanks!
--
Never attribute to malice that which can be adequately explained by
stupidity, but don't rule out malice.
- Albert Einstein
Added tag(s) moreinfo.
Request was from Antoine Beaupré <anarcat@debian.org>
to 723763-submit@bugs.debian.org.
(Mon, 01 Aug 2016 22:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Sat, 06 Aug 2016 21:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicholas D Steeves <nsteeves@gmail.com>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Sat, 06 Aug 2016 21:12:04 GMT) (full text, mbox, link).
Cc: Antoine Beaupré <anarcat@debian.org>,
Jerome Charaoui <jerome@riseup.net>
Subject: Re: Bug#723763: monkeysign should not sign revoked uids
Date: Sat, 6 Aug 2016 17:09:11 -0400
Control: found -1 monkeysign/2.0.2
Hi Antoine,
I think by default Monkeysign still signs revoked keys and sends
emails to addresses that might no longer be active. I just ran a
monkeysign 7B75921E, and I think you have received a signed key for a
few of your revoked ones.
Cheers,
Nicholas
Marked as found in versions monkeysign/2.0.2.
Request was from Nicholas D Steeves <nsteeves@gmail.com>
to 723763-submit@bugs.debian.org.
(Sat, 06 Aug 2016 21:12:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#723763; Package monkeysign.
(Sun, 07 Aug 2016 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list.
(Sun, 07 Aug 2016 22:09:04 GMT) (full text, mbox, link).
To: Nicholas D Steeves <nsteeves@gmail.com>, 723763@bugs.debian.org
Cc: Jerome Charaoui <jerome@riseup.net>
Subject: Re: Bug#723763: monkeysign should not sign revoked uids
Date: Sun, 07 Aug 2016 18:05:19 -0400
On 2016-08-06 17:09:11, Nicholas D Steeves wrote:
> Hi Antoine,
>
> I think by default Monkeysign still signs revoked keys and sends
> emails to addresses that might no longer be active. I just ran a
> monkeysign 7B75921E, and I think you have received a signed key for a
> few of your revoked ones.
Yes, the bug is definitely still not fixed. Jerome sent a patch for this
(in cc), available here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723763#35
The patch is incomplete: we need unit test coverage for it, and just
make sure it passes tests.
But you could try it out and report if it works for you, that would
certainly be useful! :)
Thanks for the feedback,
A.
--
It is a miracle that curiosity survives formal education
- Albert Einstein
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#723763; Package monkeysign.
(Thu, 01 Sep 2016 15:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list.
(Thu, 01 Sep 2016 15:15:03 GMT) (full text, mbox, link).
Subject: Re: Bug#723763: monkeysign should not sign revoked uids
Date: Thu, 01 Sep 2016 11:11:57 -0400
On 2016-08-01 17:53:11, Antoine Beaupré wrote:
> Control: tags -1 +moreinfo
>
> Could you provide unit tests coverage for this and verify that the tests
> pass after the patch is applied?
Also, after discussing with the Geysigning people, it seems that I
missed another patch that was already made here:
https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg00009.html
It seems that his patchset is a little more complete, although it still
doesn't feature unit tests, which I would prefer to have before merging
this in.
Please consider reviewing his work before going forward - it seems that
running --list-keys twice is necessary, unless we're running GPG 2.1
(which I am starting to think we should depend on :/).
A.
--
Any sufficiently advanced technology is indistinguishable from magic.
- Arthur C. Clarke
Removed tag(s) moreinfo.
Request was from Antoine Beaupré <anarcat@debian.org>
to control@bugs.debian.org.
(Thu, 01 Sep 2016 16:15:06 GMT) (full text, mbox, link).
Added tag(s) help.
Request was from Antoine Beaupré <anarcat@debian.org>
to control@bugs.debian.org.
(Thu, 01 Sep 2016 16:15:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>: Bug#723763; Package monkeysign.
(Thu, 01 Sep 2016 19:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to anarcat <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Thu, 01 Sep 2016 19:36:03 GMT) (full text, mbox, link).
On Thu, Sep 01, 2016 at 11:11:57AM -0400, Antoine Beaupré wrote:
> On 2016-08-01 17:53:11, Antoine Beaupré wrote:
> > Control: tags -1 +moreinfo
> >
> > Could you provide unit tests coverage for this and verify that the tests
> > pass after the patch is applied?
>
> Also, after discussing with the Geysigning people, it seems that I
> missed another patch that was already made here:
>
> https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg00009.html
>
> It seems that his patchset is a little more complete, although it still
> doesn't feature unit tests, which I would prefer to have before merging
> this in.
>
> Please consider reviewing his work before going forward - it seems that
> running --list-keys twice is necessary, unless we're running GPG 2.1
> (which I am starting to think we should depend on :/).
Sigh... disregard that - the above patches make sure that we don't sign
*with* revoked keys - a different issue (which I'll track in #766129).
a.
--
L'homme construit des maisons parce qu'il est vivant, mais il écrit des
livres parce qu'il se sait mortel.
- Daniel Pennac, Comme un roman
Added indication that bug 723763 blocks 773896
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Fri, 02 Sep 2016 01:03:05 GMT) (full text, mbox, link).
Cc: Philip Jägenstedt <philip@foolip.org>, Jerome Charaoui
<jerome@riseup.net>, Nicholas D Steeves <nsteeves@gmail.com>, Tobias
Mueller <muelli@cryptobitch.de>
Subject: Re: Bug#723763: monkeysign should not sign revoked uids
Date: Mon, 05 Sep 2016 00:37:15 -0400
On 2013-09-19 12:23:14, Philip Jägenstedt wrote:
> It looks like monkeysign doesn't care that a uid is
> revoked, it signs and sends out an email anyway.
On 2016-08-06 17:09:11, Nicholas D Steeves wrote:
> I think by default Monkeysign still signs revoked keys and sends
> emails to addresses that might no longer be active. I just ran a
> monkeysign 7B75921E, and I think you have received a signed key for a
> few of your revoked ones.
So I finally looked into this in more details.
Basically, I can't reproduce this at all. I have tried generating new
keys and unit tests to reproduce the issue, and I couldn't.
I also tried to sign a with a revoked UID. no mail is sent to the
revoked UID, nor is a certification generated for that UID.
[730]anarcat@angela:monkeysign$ gpg --list-sigs -v unittest
gpg: utilisation du modèle de confiance PGP
gpg: impossible de gérer l'algorithme à clef publique 22
gpg: impossible de gérer l'algorithme à clef publique 18
pub 1024R/86E4E70A96F47C6A 2012-07-20
uid Test Key <foo@example.com>
sig 3 86E4E70A96F47C6A 2012-07-20 Test Key <foo@example.com>
sig L 792152527B75921E 2016-09-05 Antoine Beaupré <anarcat@orangeseeds.org>
uid [ révoquée] Second Test Key <unittests@monkeysphere.info>
sig 3 86E4E70A96F47C6A 2013-08-11 Test Key <foo@example.com>
rev 86E4E70A96F47C6A 2016-09-05 Test Key <foo@example.com>
sub 1024R/894EE34814B46386 2012-07-20
sig 86E4E70A96F47C6A 2012-07-20 Test Key <foo@example.com>
[722]anarcat@angela:monkeysign$ git co 2.0.2
Note: checking out '2.0.2'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b new_branch_name
HEAD est maintenant sur 7780521... Merge remote-tracking branch 'origin/2.0.x' into 2.0.x
[726]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A.asc
gpg: clef 86E4E70A96F47C6A : clef publique « Second Test Key <unittests@monkeysphere.info> » importée
gpg: Quantité totale traitée : 1
gpg: importées : 1 (RSA: 1)
[727]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A-
96F47C6A-revoke.asc 96F47C6A-revuid.asc 96F47C6A-secret.asc
[727]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A-revuid.asc
gpg: clef 86E4E70A96F47C6A : « Test Key <foo@example.com> » 1 nouvelle signature
gpg: Quantité totale traitée : 1
gpg: nouvelles signatures : 1
[728]anarcat@angela:monkeysign$ ./scripts/monkeysign --no-mail -l unittest
Preparing to sign with this key
pub [unknown] 4096R/7B75921E 1243621534 [expiry: 1496357973]
Fingerprint = 8DC9 01CE 6414 6C04 8AD5 0FBB 7921 5252 7B75 921E
uid 1 [unknown] Antoine Beaupré (home address) <anarcat@anarcat.ath.cx>
uid 2 [unknown] Antoine Beaupré (work) <anarcat@koumbit.org>
sub 2048R/EE02855A 1342743455
sub 4096R/9C5A5581 1243622183
Signing the following key
pub [unknown] 1024R/96F47C6A 1342795252
Fingerprint = 3F94 240C 918E 6359 0B04 152E 86E4 E70A 96F4 7C6A
uid 1 [unknown] Test Key <foo@example.com>
uid 2 [revoked] Second Test Key <unittests@monkeysphere.info>
sub 1024R/14B46386 1342795252
Sign all identities? [y/N] y
Really sign key? [y/N] y
not sending email to "Test Key" <foo@example.com>, as requested, here's the email message:
From nobody Mon Sep 5 00:32:54 2016
Content-Type: multipart/mixed; boundary="===============7126139918222277606=="
MIME-Version: 1.0
--===============7126139918222277606==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Please find attached your signed OpenPGP key. You can import the
signed key by running each through `gpg --import`.
If you have multiple user ids, each signature was sent in a separate
email to each user id.
Note that your key was not uploaded to any keyservers. If you want
this new signature to be available to others, please upload it
yourself. With GnuPG this can be done using:
gpg --keyserver pool.sks-keyservers.net --send-key <keyid>
Regards,
--===============7126139918222277606==
Content-Type: application/pgp-keys;
name="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
MIME-Version: 1.0
Content-Disposition: attachment;
filename="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
Content-Transfer-Encoding: 7bit
Content-Description: signed OpenPGP Key
3F94240C918E63590B04152E86E4E70A96F47C6A, uid Test Key <foo@example.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mI0EUAlt9AEEAMVygQA7sGE7xS5lGk8bPK7vtBuNAb9ETjXmC8jPLZ35KTviRq1c
NfFl0J66ObgcLEQjl84GMQ6Du6qLDAAgwi/2TqzmoGljXEiOd+lePBOhEV7WgkTx
sBhniZINe/q0Sv4OJzQxfaOsW3eyfHJEXq6oCGqX+f0Nat1ygPNt/ji7ABEBAAG0
GlRlc3QgS2V5IDxmb29AZXhhbXBsZS5jb20+iLgEEwECACIFAlAJbfQCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIbk5wqW9HxqzpQD/0UZ7vg8ck/AlB6X
N43ecVoX8KuLQEV1QGc4dJ9zDJ7yfojs1b1Nlcb397VEufTeRDOyCueop5cvqv6f
ViFrA/V1xsn2RIjZhYSjk9m7UPRItpwLGHv6WSmYeSoCYXbTBtf+bf76c0TN97a3
BQTyRpa85GsWcT3S2Vpmv+PmcW2GuI0EUAlt9AEEAN0jzH5FZpR89c/Eg5rbHBD8
9KZS9fn2XpfAnLn8CLvt+409Ts3MRxePkJLkkuMA4KvNSfyEdYxrFIyKodzd2RSm
1mysgGKFOjrnaKRDr8HpzM+k8bfUbP7Q+3CjyGsui/QAgdv9LenrimhjfCvFS5BI
i0lEiGSJZ4lZ5uORKnaJABEBAAGInwQYAQIACQUCUAlt9AIbDAAKCRCG5OcKlvR8
aknhA/9Zb3cwoDFcunI2vFwpFqnZ1B1Hr81UvsTAr7V39oaWILwWcC5KASw7mLrF
zfIm2xRAeMXX6DKOtJ8WL3xWh3fCRy2zfm01vojr9DRo7MJCPP7N2DdEdQZo4+nQ
PIvzJ1nifFCN+0isRB2Xu/ItYW5CROjdQ6Dg/ws6VQkmEV4jvg==
=R16i
-----END PGP PUBLIC KEY BLOCK-----
--===============7126139918222277606==--
not sending email to "Second Test Key" <unittests@monkeysphere.info>, as requested, here's the email message:
From nobody Mon Sep 5 00:32:54 2016
Content-Type: multipart/mixed; boundary="===============4140608320576554857=="
MIME-Version: 1.0
--===============4140608320576554857==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Please find attached your signed OpenPGP key. You can import the
signed key by running each through `gpg --import`.
If you have multiple user ids, each signature was sent in a separate
email to each user id.
Note that your key was not uploaded to any keyservers. If you want
this new signature to be available to others, please upload it
yourself. With GnuPG this can be done using:
gpg --keyserver pool.sks-keyservers.net --send-key <keyid>
Regards,
--===============4140608320576554857==
Content-Type: application/pgp-keys;
name="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
MIME-Version: 1.0
Content-Disposition: attachment;
filename="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
Content-Transfer-Encoding: 7bit
Content-Description: signed OpenPGP Key
3F94240C918E63590B04152E86E4E70A96F47C6A,
uid Second Test Key <unittests@monkeysphere.info>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mI0EUAlt9AEEAMVygQA7sGE7xS5lGk8bPK7vtBuNAb9ETjXmC8jPLZ35KTviRq1c
NfFl0J66ObgcLEQjl84GMQ6Du6qLDAAgwi/2TqzmoGljXEiOd+lePBOhEV7WgkTx
sBhniZINe/q0Sv4OJzQxfaOsW3eyfHJEXq6oCGqX+f0Nat1ygPNt/ji7ABEBAAG0
LVNlY29uZCBUZXN0IEtleSA8dW5pdHRlc3RzQG1vbmtleXNwaGVyZS5pbmZvPoiq
BDABAgAUBQJXzOdCDR0gdGVzdCByZXZ1aWQACgkQhuTnCpb0fGpWRgP9HRJzDocI
nkZVzIKR6ocw7VTVn817V385xN+Zgx6CZrBba4b6waluyXxmM7jdsFzlsOPdR8Tk
UjQ/LfLjStJ5MJuwujBHW5XfittWcqNFItzPTt49YovnP6A8ROBBl4zCPmQL2YGQ
/SBOq8LnKovaBjxvPz57i9Ze0C2F5Tzi5Y24jQRQCW30AQQA3SPMfkVmlHz1z8SD
mtscEPz0plL1+fZel8CcufwIu+37jT1OzcxHF4+QkuSS4wDgq81J/IR1jGsUjIqh
3N3ZFKbWbKyAYoU6OudopEOvwenMz6Txt9Rs/tD7cKPIay6L9ACB2/0t6euKaGN8
K8VLkEiLSUSIZIlniVnm45EqdokAEQEAAYifBBgBAgAJBQJQCW30AhsMAAoJEIbk
5wqW9HxqSeED/1lvdzCgMVy6cja8XCkWqdnUHUevzVS+xMCvtXf2hpYgvBZwLkoB
LDuYusXN8ibbFEB4xdfoMo60nxYvfFaHd8JHLbN+bTW+iOv0NGjswkI8/s3YN0R1
Bmjj6dA8i/MnWeJ8UI37SKxEHZe78i1hbkJE6N1DoOD/CzpVCSYRXiO+
=ojno
-----END PGP PUBLIC KEY BLOCK-----
--===============4140608320576554857==--
Now. Maybe I am doing something wrong, or maybe GnuPG or Monkeysign got
fixed since those bugs were reported. I am running Debian Jessie, so
this is GnuPG 1.4.18 and monkeysign 2.0.2.
All the gory details are here:
https://0xacab.org/monkeysphere/monkeysign/issues/33
I am going to close this bug as done now.
Someone will need to provide me with more solid ways of reproducing
this, including a step-by-step commandline documentation or complete
failed unit test before I look at reviewing patches about revoked keys
again.
A.
--
L'ennui avec la grande famille humaine, c'est que tout le monde veut
en être le père.
- Mafalda
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Oct 2016 07:28:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.