How to revoke a GPG Key and upload in GPG server

code-signinggnupgprivate-key

I have create GPG Keys for code signing and created a revocation certificate also. As far as I know, if key is compromised then i can revoke the key using revocation certificate.

Can someone suggest me how to revoke my key with revocation certificate? Also one more doubt is, after revoking keys should I upload at any GPG Key server? So that someone using my keys to verify code signing can check whether Key is revoked or not before using my code signed files.

if uploading in key server is not required then how my customer can check key is revoked or not?

Best Answer

This a summary of the steps for revoking, based on the article GPG: Revoking your public key and notifiying key-server. The following assumes that the key server is pgp.mit.edu.

List keys

gpg --list-keys

Revoke your key

gpg --output revoke.asc --gen-revoke key-ID

Import revocation certificate into your keyring

gpg --import revoke.asc

Search your key on the key-server

gpg --keyserver pgp.mit.edu --search-keys key-ID

Send the revoked key to the key-server

gpg --keyserver pgp.mit.edu --send-keys key-ID

Related Solutions

Un-revoke PGP key

It turns out that it is possible (and relatively simple) to delete and re-import the key, provided that it is on a keyserver (and provided that the revocation has not been sent to the keyserver, of course).

This is what I found to work (THEKEYID is the short ID of the key):

Delete the public key as follows (the --expert option allows the public key to be deleted whilst the private key is kept) :
gpg --expert --delete-key THEKEYID
Confirm by pressing:
y
Fetch the public key again from a keyserver:
gpg --keyserver subkeys.pgp.net --recv-keys THEKEYID

Done!

Presumably this could also be done from a local (pre-revocation) backup of the public key, using gpg --import public.key instead of the third command.

Simply deleting the entire key (public and private) from the GPG Keychain Access GUI, and then restoring from a backup, did not work - I don't know why.

How to generate the revocation certificate after being made a revoker with GnuPG

Do not use --gen-revoke, but --desig-revoke instead. From man gpg:

--desig-revoke name
       Generate a designated revocation certificate for a key. This allows a
       user (with the permission of the keyholder) to revoke someone else's key.

GnuPG will ask you whether you want to create a revocation certificate for this other key, for example revoking 0xdeadbeef with a key you're using:

$ gpg --desig-revoke 0xDEADBEEF

pub  1024R/DEADBEEF 2015-02-25 Alice

To be revoked by:

sec  2048R/E6F0D5F6 2015-02-25 Bob

Create a designated revocation certificate for this key? (y/N)

[...]

--desig-revoke will output the ascii-armored revocation certificate.

Best Answer

Related Solutions

Un-revoke PGP key

How to generate the revocation certificate after being made a revoker with GnuPG

Related Question