How to generate the revocation certificate after being made a revoker with GnuPG

I read the "How should GnuPG's `–desig-revoke` command be used?" question/answer, so now I know when to use the –desig-revoke.

So, I have two different private keys — one at work (WORKWORK), and one at home (HOMEHOME). In preparing for the worst (in today's economy, not a bad idea), I want to be able to revoke my work ID from home.

I was hoping I'd be able to use knowledge gained to be able to set that up. At work, I used addrevoker (the internal equivalent of –desig-revoke, because my gpg –help didn't show –desig-revoke as an option), without the sensitive argument, to make my home key be able to generate a revocation certificate for my work key. I then exported my public key at work, and imported it at home.

After importing, I see:

cmd.exe> gpg --list-keys
path/to/pubring.gpg
------------------------------------------------
pub   4096R/HOMEHOME 2010-12-11
uid       [ultimate] PryrtCJ <PryrtCJ@home>
sub   4096R/________ 2010-12-11
sub   4096R/________ 2014-11-22 [expires: 2015-12-31]
sub   4096R/________ 2014-11-22 [expires: 2015-12-31]

pub   4096R/WORKWORK 2010-12-15
uid       [  full  ] PryrtCJ <PryrtCJ@work>
sub   4096R/________ 2010-12-15

And to check for the addrevoke results propagating home:

cmd.exe> gpg --edit-key WORKWORK
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


This key may be revoked by RSA key HOMEHOME PryrtCJ@home
pub  4096R/WORKWORK  created: 2010-12-15  expires: never       usage: SC
                     trust: full          validity: full
sub  4096R/________  created: 2010-12-15  expires: never       usage: E
[  full  ] (1). PryrtCJ <PryrtCJ@work>

So I obviously have permission to revoke my work key. But when I try, all I get is this error:

cmd.exe> gpg --output revoke-WORKWORK.asc --gen-revoke WORKWORK
gpg: secret key "WORKWORK" not found: Unknown system error

So, how do I actually generate a revocation certificate using my newly granted permission?

Best Answer

Do not use --gen-revoke, but --desig-revoke instead. From man gpg:

--desig-revoke name
       Generate a designated revocation certificate for a key. This allows a
       user (with the permission of the keyholder) to revoke someone else's key.

GnuPG will ask you whether you want to create a revocation certificate for this other key, for example revoking 0xdeadbeef with a key you're using:

$ gpg --desig-revoke 0xDEADBEEF

pub  1024R/DEADBEEF 2015-02-25 Alice

To be revoked by:

sec  2048R/E6F0D5F6 2015-02-25 Bob

Create a designated revocation certificate for this key? (y/N)

[...]

--desig-revoke will output the ascii-armored revocation certificate.

Best Answer

Related Solutions

How to export public keys in PEM format with GnuPG

How to restrict the usage flags for primary key-pairs in OpenPGP certificates

Related Question