What to do when a user switches to a new key

gpgpgp

I have some public keys of multiple users in my keyring in GnuPG. One of these users has switched to a new public key. I still have the user's old key which has an assigned trust of ultimate. I just assigned the same trust to his new key.

He does not use the old key anymore. What should I do with the old key? Should I withdraw trust, or revoke it? What is the correct procedure in such a case?

Best Answer

First of all, ultimate trust shouldn't be used for other's keys, full trust is enough. If you issued ultimate trust to make the key itself valid, you missunderstood the web of trust concept. If you just wanted all his certifications to be valid for you (thus, extending your web of trust), full trust is enough, if you at the same time certified him.

Regarding your actual question: this depends a little bit on the situation.

You will not be able to revoke the other's key. Has the key's owner revoked it? If so, he should just send you the revocation certificate -- for example by uploading it to the key servers, where you can fetch it again. If the key is revoked, you do not have to care about trust any more anyway.
The key owner has lost control over the key, but cannot revoke it any more. For example, somebody stole the laptop with the only copy of the key, and the owner doesn't have a revocation certificate (very bad idea). Now it's at you to fix the situation, by withdrawing trust and setting it to "never". Also consider doing the same with his new key, as there seem to be major issues with the owner's key handling. This does not change validity if his key (if you signed it), it just makes sure certifications issued by it won't be used for validity calculation of others.
The key owner just doesn't want to use the key any more, but still owns it and wants to keep the reputation in the web of trust he build up (which you probably also want to make use of): Just import his new key, and don't care about the old one at all. Apart from changing trust from "ultimate" to "full".

If you want to make sure you're not accidentially encrypting to his old key, disable it by running gpg --edit-key [key-id], then using GnuPG's disable command.

Related Solutions

How to check openpgp (gpg) signature against a set of public key blocks

The program gpgv / gpgv2 is used for simple checking of signatures. The problem is that exported key files are not recognized as keyring. Thus you have to create a keyring in the first step:

cd /some/tmp/dir || exit 1
test -f pubring.gpg && { rm -f pubring.gpg || exit 1; }
gpg --no-options --no-default-keyring --keyring ./pubring.gpg \
  --secret-keyring ./secring.gpg --import /etc/ourapp/ourapps_trusted_pubkeys.asc

Now /some/tmp/dir/pubring.gpg is a keyring file gpgv can use:

gpgv --keyring /some/tmp/dir/pubring.gpg \
  /var/lib/ourapp/newcontent.tar.gz.asc /var/lib/ourapp/newcontent.tar.gz

If the data file path is the signature path without .asc (like in your example) then you can leave it out.

List all keys signed by a given key

As far as I am aware there is no such option. Yet, it is trivial to script one together:

#!/bin/sh
KEY=${1:-'C840C4F6'}  # that's my key
gpg -k |
grep 'pub ' |
cut -d ' ' -f 4 |
cut -d / -f 2 |
while read x; do
    if gpg --list-sigs "$x" | grep C840C4F6 >/dev/null; then
        echo "$x"
    fi
done

And, thanks to the fact that GnuPG is pretty quick, it runs fast enough. With >300 keys that runs in less than a second on a cheap VPS.

Both -k and --list-sigs are very old gpg options. I've tested this only on 2.0 and 2.1, yet, I'm confident it will work on 1.4.

Best Answer

Related Solutions

How to check openpgp (gpg) signature against a set of public key blocks

List all keys signed by a given key

Related Question