This repository was archived by the owner on Nov 18, 2021. It is now read-only.
This repository was archived by the owner on Nov 18, 2021. It is now read-only.
Revoked and expired GPG subkeys should keep have verified tag on old signature #1099
Description
I'm not sure it's an issue or a bad manipulation from me, but I don't how to do it with another way.
In order to keep my master key secure and valid, I'm trying to do what is explain on this article.
I'll first explain what I did to test, step by step.
First, I create the main key with certificate role only (C).
GPG main key creation:
$ gpg --full-gen-key --expert
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Sullivan Senechal
Email address: soullivaneuh@gmail.com
Comment:
You selected this USER-ID:
"Sullivan Senechal <soullivaneuh@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 2886875B5AF6449D marked as ultimately trusted
gpg: revocation certificate stored as '/home/sullivan/.gnupg/openpgp-revocs.d/9E0BCC27843CF75E7604AFFD2886875B5AF6449D.rev'
public and secret key created and signed.
pub rsa2048 2017-10-21 [C]
9E0BCC27843CF75E7604AFFD2886875B5AF6449D
uid Sullivan Senechal <soullivaneuh@gmail.com>
Then, I add a signin (S) subkey.
GPG signing subkey creation:
$ gpg --edit-key 9E0BCC27843CF75E7604AFFD2886875B5AF6449D
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa2048/05A1185713266A40
created: 2017-10-21 expires: never usage: S
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> save
Then I export all the part and secure my key by re-importing only the subkeys:
$ gpg -a --export 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > key.pub
$ gpg -a --export-secret-keys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > key.priv
$ gpg -a --export-secret-subkeys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > sub.priv
$ ls -l
total 12
-rw-r--r-- 1 sullivan sullivan 3847 oct. 21 10:50 key.priv
-rw-r--r-- 1 sullivan sullivan 2082 oct. 21 10:50 key.pub
-rw-r--r-- 1 sullivan sullivan 2978 oct. 21 10:51 sub.priv
$ gpg --delete-secret-keys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D
$ gpg --import sub.priv
Then I add the pub key here: https://github.com/settings/keys
I edit my .gitconfig to tell git to use my GPG key, with the main ID:
[user]
name = Sullivan SENECHAL
email = soullivaneuh@gmail.com
signingkey = 9E0BCC27843CF75E7604AFFD2886875B5AF6449D
And I push a test commit, signed with the key. Yay! It's verified and signed with the subkey.
Well. Now imagine the fact my computer was stolen and my subkey is compromised. So I have to revoke it and create a new one. Let's go.
GPG subkey revokation and add:
$ gpg --import key.priv
gpg: key 2886875B5AF6449D: "Sullivan Senechal <soullivaneuh@gmail.com>" not changed
gpg: key 2886875B5AF6449D: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
$ gpg --edit-key 9E0BCC27843CF75E7604AFFD2886875B5AF6449D
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa2048/05A1185713266A40
created: 2017-10-21 expires: never usage: S
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> key 1
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
ssb* rsa2048/05A1185713266A40
created: 2017-10-21 expires: never usage: S
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> revkey
Do you really want to revoke this subkey? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
Your decision? 1
Enter an optional description; end it with an empty line:
> Sigh. My PC was stolen. :-(
>
Reason for revocation: Key has been compromised
Sigh. My PC was stolen. :-(
Is this okay? (y/N) y
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
The following key was revoked on 2017-10-21 by RSA key 2886875B5AF6449D Sullivan Senechal <soullivaneuh@gmail.com>
ssb rsa2048/05A1185713266A40
created: 2017-10-21 revoked: 2017-10-21 usage: S
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/2886875B5AF6449D
created: 2017-10-21 expires: never usage: C
trust: ultimate validity: ultimate
The following key was revoked on 2017-10-21 by RSA key 2886875B5AF6449D Sullivan Senechal <soullivaneuh@gmail.com>
ssb rsa2048/05A1185713266A40
created: 2017-10-21 revoked: 2017-10-21 usage: S
ssb rsa2048/BAF63FC60659C512
created: 2017-10-21 expires: never usage: S
[ultimate] (1). Sullivan Senechal <soullivaneuh@gmail.com>
gpg> save
$ gpg -a --export 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > key.pub
$ gpg -a --export-secret-subkeys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > sub.priv
$ gpg -a --export-secret-keys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D > key.priv
$ gpg --delete-secret-keys 9E0BCC27843CF75E7604AFFD2886875B5AF6449D
$ gpg --import sub.priv
I now have my revoked key and my fancy new one.
I remove the old GPG key from my GitHub account and replace it by the new one:
And there is the issue. The old subkey is not here anymore and the old commit is not verified at all:
But, according to pgpdump, the concerned subkey is still here and marked as revoked with the accurate date and time.
Dump of the final GPG pubkey:
Old: Public Key Packet(tag 6)(269 bytes)
Ver 4 - new
Public key creation time - Sat Oct 21 10:43:12 CEST 2017
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(42 bytes)
User ID - Sullivan Senechal <soullivaneuh@gmail.com>
Old: Signature Packet(tag 2)(311 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 10:43:12 CEST 2017
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to certify other keys
Hashed Sub: preferred symmetric algorithms(sub 11)(4 bytes)
Sym alg - AES with 256-bit key(sym 9)
Sym alg - AES with 192-bit key(sym 8)
Sym alg - AES with 128-bit key(sym 7)
Sym alg - Triple-DES(sym 2)
Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
Hash alg - SHA256(hash 8)
Hash alg - SHA384(hash 9)
Hash alg - SHA512(hash 10)
Hash alg - SHA224(hash 11)
Hash alg - SHA1(hash 2)
Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
Comp alg - ZLIB <RFC1950>(comp 2)
Comp alg - BZip2(comp 3)
Comp alg - ZIP <RFC1951>(comp 1)
Hashed Sub: features(sub 30)(1 bytes)
Flag - Modification detection (packets 18 and 19)
Hashed Sub: key server preferences(sub 23)(1 bytes)
Flag - No-modify
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x2886875B5AF6449D
Hash left 2 bytes - 59 4e
RSA m^d mod n(2044 bits) - ...
-> PKCS-1
Old: Public Subkey Packet(tag 14)(269 bytes)
Ver 4 - new
Public key creation time - Sat Oct 21 10:48:41 CEST 2017
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(17 bits) - ...
Old: Signature Packet(tag 2)(314 bytes)
Ver 4 - new
Sig type - Subkey revocation signature(0x28).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 11:08:34 CEST 2017
Hashed Sub: reason for revocation(sub 29)(28 bytes)
Reason - Key material has been compromised
Comment - Sigh. My PC was stolen. :-(
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x2886875B5AF6449D
Hash left 2 bytes - 0a ab
RSA m^d mod n(2047 bits) - ...
-> PKCS-1
Old: Signature Packet(tag 2)(574 bytes)
Ver 4 - new
Sig type - Subkey Binding Signature(0x18).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 10:48:41 CEST 2017
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to sign data
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x2886875B5AF6449D
Sub: embedded signature(sub 32)(284 bytes)
Ver 4 - new
Sig type - Primary Key Binding Signature(0x19).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 10:48:41 CEST 2017
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x05A1185713266A40
Hash left 2 bytes - e4 2e
RSA m^d mod n(2048 bits) - ...
-> PKCS-1
Hash left 2 bytes - af c7
RSA m^d mod n(2045 bits) - ...
-> PKCS-1
Old: Public Subkey Packet(tag 14)(269 bytes)
Ver 4 - new
Public key creation time - Sat Oct 21 11:08:38 CEST 2017
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(2048 bits) - ...
RSA e(17 bits) - ...
Old: Signature Packet(tag 2)(574 bytes)
Ver 4 - new
Sig type - Subkey Binding Signature(0x18).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 11:08:38 CEST 2017
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to sign data
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x2886875B5AF6449D
Sub: embedded signature(sub 32)(284 bytes)
Ver 4 - new
Sig type - Primary Key Binding Signature(0x19).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Sat Oct 21 11:08:38 CEST 2017
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0xBAF63FC60659C512
Hash left 2 bytes - dc d9
RSA m^d mod n(2048 bits) - ...
-> PKCS-1
Hash left 2 bytes - 6f 5f
RSA m^d mod n(2044 bits) - ...
-> PKCS-1
So, AFAIK, the commits and tags signed before the revocation date should stay with a verified status.
If not, what is the goal of making subkey if, in any case, all your commits and tags will be unverified as soon as the subkey is revoked? I don't get it. In this case, I'm sure lots of people are continuing using the key even if it is compromised. 😔 🤔
BTW, I have another question related to this issue. I have a current GPG key signing my commit. It was created while I was a truly beginner and it use master keys. I would like to revoke it to no be able to use it at all but without losing my old tag and commit signature verification. Is that even possible?
Regards.