Bug#1101007: regression: gpg --edit-key clean removes signature that was kept in 2.2.45

Uwe Kleine-König Fri, 21 Mar 2025 10:45:36 -0700

Package: gnupg
Version: 2.2.46-5
Severity: normal
X-Debbugs-Cc: uklei...@debian.org


Hello,

        uwe@taurus:~$ keyringgpghome="$(mktemp -d)"

        uwe@taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key 
tgamb...@baylibre.com u.kleine-koe...@baylibre.com
        gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
        gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
        gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König 
<u.kleine-koe...@baylibre.com>" imported
        gpg: Total number processed: 1
        gpg:               imported: 1
        gpg: no ultimately trusted keys found
        gpg: key B0D589D46708EC99: public key "Trevor Gamblin 
<tgamb...@baylibre.com>" imported
        gpg: Total number processed: 1
        gpg:               imported: 1
        gpg: no ultimately trusted keys found
        pub   rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
              0D2511F322BFAB1C1580266BE2DCDD9132669BD6
        uid           [ unknown] Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub   rsa2048 2023-03-17 [A] [expires: 2027-06-21]
        sub   rsa2048 2023-03-17 [S] [expires: 2027-06-21]
        sub   rsa2048 2023-03-17 [E] [expires: 2027-06-21]

        pub   rsa4096 2024-11-19 [C] [expires: 2026-11-19]
              A3A9D4BDAB1069811F48D30EB0D589D46708EC99
        uid           [ unknown] Trevor Gamblin <tgamb...@baylibre.com>
        sub   cv25519 2024-11-19 [E]
        sub   ed25519 2024-11-19 [S]
        sub   ed25519 2024-11-19 [A]

        uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon 
E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
        
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
        uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe 
Kleine-König <u.kleine-koe...@baylibre.com>:::::::::1742578410:4 
https\x3a//openpgpkey.baylibre.com:
        sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin 
<tgamb...@baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:

So my key E2DCDD9132669BD6 has a signature by Trevor's key.

        uwe@taurus:~$ gpg --homedir "$keyringgpghome" --edit-key 
E2DCDD9132669BD6 clean save
        gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
        This is free software: you are free to change and redistribute it.
        There is NO WARRANTY, to the extent permitted by law.


        pub  rsa4096/E2DCDD9132669BD6
             created: 2010-06-15  expires: 2027-06-21  usage: SC
             trust: unknown       validity: unknown
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/DB334D9FBE6A05BF
             created: 2015-01-11  revoked: 2023-03-17  usage: A
        The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa4096/3C3A2D28B94A2928
             created: 2010-06-15  revoked: 2015-01-11  usage: E
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/C1FC1478ADCAEC09
             created: 2015-01-11  revoked: 2023-03-17  usage: S
        sub  rsa2048/B29A43280A6EF95B
             created: 2023-03-17  expires: 2027-06-21  usage: A
        sub  rsa2048/8F80FB587D12FE4E
             created: 2023-03-17  expires: 2027-06-21  usage: S
        sub  rsa2048/120E75698E64909B
             created: 2023-03-17  expires: 2027-06-21  usage: E
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/F2FF566A57C91BC7
             created: 2015-01-11  revoked: 2023-03-17  usage: E
        [ unknown] (1). Uwe Kleine-König <u.kleine-koe...@baylibre.com>

        User ID "Uwe Kleine-König <u.kleine-koe...@baylibre.com>": 7 signatures 
removed

        pub  rsa4096/E2DCDD9132669BD6
             created: 2010-06-15  expires: 2027-06-21  usage: SC
             trust: unknown       validity: unknown
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/DB334D9FBE6A05BF
             created: 2015-01-11  revoked: 2023-03-17  usage: A
        The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa4096/3C3A2D28B94A2928
             created: 2010-06-15  revoked: 2015-01-11  usage: E
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/C1FC1478ADCAEC09
             created: 2015-01-11  revoked: 2023-03-17  usage: S
        sub  rsa2048/B29A43280A6EF95B
             created: 2023-03-17  expires: 2027-06-21  usage: A
        sub  rsa2048/8F80FB587D12FE4E
             created: 2023-03-17  expires: 2027-06-21  usage: S
        sub  rsa2048/120E75698E64909B
             created: 2023-03-17  expires: 2027-06-21  usage: E
        The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
Uwe Kleine-König <u.kleine-koe...@baylibre.com>
        sub  rsa2048/F2FF566A57C91BC7
             created: 2015-01-11  revoked: 2023-03-17  usage: E
        [ unknown] (1). Uwe Kleine-König <u.kleine-koe...@baylibre.com>

        uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon 
E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
        
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
        uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe 
Kleine-König <u.kleine-koe...@baylibre.com>:::::::::1742578410:4 
https\x3a//openpgpkey.baylibre.com:

So "clean"ing my key removed Trevor's signature.

With gnupg 2.2.45-2 the same sequence keeps the signature. With my
current understanding 2.2.45-2 is right to keep the signature and it's a
bug in 2.2.46-5 to drop it.

I have a few more reproducers and it's always only Trevor's signature
that is removed.

Best regards
Uwe

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (750, 'testing-debug'), (750, 'testing'), (700, 
'stable-updates'), (700, 'stable-security'), (700, 'stable-debug'), (700, 
'stable'), (600, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 6.12.6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnupg depends on:
ii  dirmngr     2.2.46-5
ii  gnupg-l10n  2.2.46-5
ii  gpg         2.2.46-5
ii  gpg-agent   2.2.46-5
ii  gpgsm       2.2.46-5

Versions of packages gnupg recommends:
ii  gnupg-utils     2.2.46-5
ii  gpg-wks-client  2.2.46-5
ii  gpgv            2.2.46-5

Versions of packages gnupg suggests:
ii  gpg-wks-server  2.2.46-5
pn  parcimonie      <none>
pn  xloadimage      <none>

-- no debconf information

Bug#1101007: regression: gpg --edit-key clean removes signature that was kept in 2.2.45

Reply via email to