How can I update the signature of a pgp subkey
My public pgp key has a sub key with a signature (self signed) that contains an invalid policy url. How can I update the signature and remove the policy?
Using gpg (GnuPG) 1.4.21 on macOS Sierra, 10.12.3 (16D32)
gnupg
asked Feb 3 '17 at 17:44
kinnlakinnla
214
add a comment |
My public pgp key has a sub key with a signature (self signed) that contains an invalid policy url. How can I update the signature and remove the policy?
Using gpg (GnuPG) 1.4.21 on macOS Sierra, 10.12.3 (16D32)
gnupg
asked Feb 3 '17 at 17:44
kinnlakinnla
214
add a comment |
My public pgp key has a sub key with a signature (self signed) that contains an invalid policy url. How can I update the signature and remove the policy?
Using gpg (GnuPG) 1.4.21 on macOS Sierra, 10.12.3 (16D32)
gnupg
asked Feb 3 '17 at 17:44
kinnlakinnla
214
My public pgp key has a sub key with a signature (self signed) that contains an invalid policy url. How can I update the signature and remove the policy?
Using gpg (GnuPG) 1.4.21 on macOS Sierra, 10.12.3 (16D32)
gnupg
gnupg
asked Feb 3 '17 at 17:44
kinnlakinnla
214
asked Feb 3 '17 at 17:44
kinnlakinnla
214
edited Jan 2 at 15:28
kinnla
asked Feb 3 '17 at 17:44
kinnlakinnla
214
asked Feb 3 '17 at 17:44
kinnlakinnla
214
asked Feb 3 '17 at 17:44
kinnlakinnla
214
214
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Not really a solution, but that's how I dealt with the issue (using GnuPG 2.2).
First, I had the same problem with my UIDs. That could be solved: Remove the policy url from the gpg.conf, then delete the signatures (gpg --edit-key and delsig) and self-sign the uids again with the primary key.
For sub keys this approach does not work. Each sub key has to be signed by the primary key once it is created, additional signatures don't make sense. So for GnuPG there is no need to support editing or adding sub key signatures. So I had to try something else (test case with a uid test).
- Export the complete key:
gpg --export-secret-key test > testexport
- Split the key into packets:
gpgsplit testexport
- Remove the packet that contains invalid signature. In my test case the sub key signature was contained in the last of the snippet files, named
000006-002.sig. You can double-check and examine the contents bygpg --list-packets 000006-002.sig. - Create a signature for the snippet containing the secret sub key:
gpg --local-user test --output 000006.newsig --detach-sign 000005-007.secret_subkey
- Put the snippets, including the new signature, back together:
cat 0* > newkey
- Delete the (old) key from the keyring:
gpg --delete-key test
- Import the new key back to the keyring:
gpg --import newkey. But for the sub key the import unfortunately failed as the signature was not valid.
So this approach was too naive, and one should look deeper into OpenPGP signatures in order to create a valid one.
In the end, as meanwhile my key had been uploaded to a key server by someone else, I decided to revoke the sub key and created a new one.
answered Jan 2 at 16:27
kinnlakinnla
214
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1174930%2fhow-can-i-update-the-signature-of-a-pgp-subkey%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Not really a solution, but that's how I dealt with the issue (using GnuPG 2.2).
First, I had the same problem with my UIDs. That could be solved: Remove the policy url from the gpg.conf, then delete the signatures (gpg --edit-key and delsig) and self-sign the uids again with the primary key.
For sub keys this approach does not work. Each sub key has to be signed by the primary key once it is created, additional signatures don't make sense. So for GnuPG there is no need to support editing or adding sub key signatures. So I had to try something else (test case with a uid test).
- Export the complete key:
gpg --export-secret-key test > testexport
- Split the key into packets:
gpgsplit testexport
- Remove the packet that contains invalid signature. In my test case the sub key signature was contained in the last of the snippet files, named
000006-002.sig. You can double-check and examine the contents bygpg --list-packets 000006-002.sig. - Create a signature for the snippet containing the secret sub key:
gpg --local-user test --output 000006.newsig --detach-sign 000005-007.secret_subkey
- Put the snippets, including the new signature, back together:
cat 0* > newkey
- Delete the (old) key from the keyring:
gpg --delete-key test
- Import the new key back to the keyring:
gpg --import newkey. But for the sub key the import unfortunately failed as the signature was not valid.
So this approach was too naive, and one should look deeper into OpenPGP signatures in order to create a valid one.
In the end, as meanwhile my key had been uploaded to a key server by someone else, I decided to revoke the sub key and created a new one.
answered Jan 2 at 16:27
kinnlakinnla
214
add a comment |
Not really a solution, but that's how I dealt with the issue (using GnuPG 2.2).
First, I had the same problem with my UIDs. That could be solved: Remove the policy url from the gpg.conf, then delete the signatures (gpg --edit-key and delsig) and self-sign the uids again with the primary key.
For sub keys this approach does not work. Each sub key has to be signed by the primary key once it is created, additional signatures don't make sense. So for GnuPG there is no need to support editing or adding sub key signatures. So I had to try something else (test case with a uid test).
- Export the complete key:
gpg --export-secret-key test > testexport
- Split the key into packets:
gpgsplit testexport
- Remove the packet that contains invalid signature. In my test case the sub key signature was contained in the last of the snippet files, named
000006-002.sig. You can double-check and examine the contents bygpg --list-packets 000006-002.sig. - Create a signature for the snippet containing the secret sub key:
gpg --local-user test --output 000006.newsig --detach-sign 000005-007.secret_subkey
- Put the snippets, including the new signature, back together:
cat 0* > newkey
- Delete the (old) key from the keyring:
gpg --delete-key test
- Import the new key back to the keyring:
gpg --import newkey. But for the sub key the import unfortunately failed as the signature was not valid.
So this approach was too naive, and one should look deeper into OpenPGP signatures in order to create a valid one.
In the end, as meanwhile my key had been uploaded to a key server by someone else, I decided to revoke the sub key and created a new one.
answered Jan 2 at 16:27
kinnlakinnla
214
add a comment |
Not really a solution, but that's how I dealt with the issue (using GnuPG 2.2).
First, I had the same problem with my UIDs. That could be solved: Remove the policy url from the gpg.conf, then delete the signatures (gpg --edit-key and delsig) and self-sign the uids again with the primary key.
For sub keys this approach does not work. Each sub key has to be signed by the primary key once it is created, additional signatures don't make sense. So for GnuPG there is no need to support editing or adding sub key signatures. So I had to try something else (test case with a uid test).
- Export the complete key:
gpg --export-secret-key test > testexport
- Split the key into packets:
gpgsplit testexport
- Remove the packet that contains invalid signature. In my test case the sub key signature was contained in the last of the snippet files, named
000006-002.sig. You can double-check and examine the contents bygpg --list-packets 000006-002.sig. - Create a signature for the snippet containing the secret sub key:
gpg --local-user test --output 000006.newsig --detach-sign 000005-007.secret_subkey
- Put the snippets, including the new signature, back together:
cat 0* > newkey
- Delete the (old) key from the keyring:
gpg --delete-key test
- Import the new key back to the keyring:
gpg --import newkey. But for the sub key the import unfortunately failed as the signature was not valid.
So this approach was too naive, and one should look deeper into OpenPGP signatures in order to create a valid one.
In the end, as meanwhile my key had been uploaded to a key server by someone else, I decided to revoke the sub key and created a new one.
answered Jan 2 at 16:27
kinnlakinnla
214
Not really a solution, but that's how I dealt with the issue (using GnuPG 2.2).
First, I had the same problem with my UIDs. That could be solved: Remove the policy url from the gpg.conf, then delete the signatures (gpg --edit-key and delsig) and self-sign the uids again with the primary key.
For sub keys this approach does not work. Each sub key has to be signed by the primary key once it is created, additional signatures don't make sense. So for GnuPG there is no need to support editing or adding sub key signatures. So I had to try something else (test case with a uid test).
- Export the complete key:
gpg --export-secret-key test > testexport
- Split the key into packets:
gpgsplit testexport
- Remove the packet that contains invalid signature. In my test case the sub key signature was contained in the last of the snippet files, named
000006-002.sig. You can double-check and examine the contents bygpg --list-packets 000006-002.sig. - Create a signature for the snippet containing the secret sub key:
gpg --local-user test --output 000006.newsig --detach-sign 000005-007.secret_subkey
- Put the snippets, including the new signature, back together:
cat 0* > newkey
- Delete the (old) key from the keyring:
gpg --delete-key test
- Import the new key back to the keyring:
gpg --import newkey. But for the sub key the import unfortunately failed as the signature was not valid.
So this approach was too naive, and one should look deeper into OpenPGP signatures in order to create a valid one.
In the end, as meanwhile my key had been uploaded to a key server by someone else, I decided to revoke the sub key and created a new one.
answered Jan 2 at 16:27
kinnlakinnla
214
answered Jan 2 at 16:27
kinnlakinnla
214
answered Jan 2 at 16:27
kinnlakinnla
214
answered Jan 2 at 16:27
kinnlakinnla
214
214
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1174930%2fhow-can-i-update-the-signature-of-a-pgp-subkey%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
