Today, I was responding to an issue on Mayfirst's issue tracker, involving the ssh key for a decommissioned server having never been revoked (and thus still active in the monkeysphere). Since the ticket had languished without followup for two years, I wanted to see if the work had been done, and just not commented on, so I went to check for revocations. There was only one problem — I rarely do that and realized that the process wasn't clear in my mind.
A little bit of searching on the Internet turned up descriptions and howtos about creating and publishing revocation certificates. Also, many layers of links back to some version of the GPG manual. Read up there for background on key and signature revocation.
To fill the lazy search void that I found, here is a quick and dirty guide to determining revoked keys and signatures.
Checking for key revocation
To get information about a key in your keyring, first make sure you have it your keyring with
gpg --search or
gpg --recv-key (eg:
gpg --search "ssh://zimmermann.mayfirst.org"). You can follow along with my examples by pulling the User IDs I use in the examples into your local key ring.
If you already had the key in your keyring, now is a good time to refresh it. This will refresh it using the full key fingerprint.
0 nat@pigtown:~$ gpg --refresh-key $(gpg --with-colons --fingerprint "ssh://zimmermann.mayfirst.org" |grep fpr |cut -f10 -d ":") gpg: refreshing 1 key from hkps://keys.mayfirst.org gpg: requesting key 860E8F9C from hkps server keys.mayfirst.org gpg: key 860E8F9C: "ssh://zimmermann.mayfirst.org" not changed gpg: Total number processed: 1 gpg: unchanged: 1 0 nat@pigtown:~$
Now, to actually check the key, use
gpg --list-key. This is what a non-revoked key will look like:
0 nat@pigtown:~$ gpg --list-key $(gpg --with-colons --fingerprint "ssh://zimmermann.mayfirst.org" |grep fpr |cut -f10 -d ":") pub 2048R/860E8F9C 2008-10-29 [expires: 2014-09-25] uid ssh://zimmermann.mayfirst.org uid ssh://zimmerman.mayfirst.org 0 nat@pigtown:~$
And this is what a revoked key will look like:
0 nat@pigtown:~$ gpg --list-key $(gpg --with-colons --fingerprint "ssh://sontag.mayfirst.org" |grep fpr |cut -f10 -d ":") pub 2048R/AE2C8DE3 2010-09-10 [revoked: 2011-10-30] uid ssh://sontag.mayfirst.org 0 nat@pigtown:~$
Observe the "revoked" in the pub line there, compared to the expiration date in the example above. You can probably guess what that changes to when a key expires.
Checking for signature revocation (and expiration)
To get information about published signatures on a key, use
gpg --check-sigs. Here's what that looks like:
0 nat@pigtown:~$ gpg --check-sigs $(gpg --with-colons --fingerprint "ssh://ella.mayfirst.org" |grep fpr |cut -f10 -d ":") pub 2048R/EF945F28 2010-08-27 uid ssh://ella.mayfirst.org sig!3 EF945F28 2010-08-27 ssh://ella.mayfirst.org sig! E3D30824 2011-01-27 Greg Lyle <firstname.lastname@example.org> sig! 5F2E4935 2010-08-27 Jamie McClelland <email@example.com> sig! X D21739E9 2011-01-27 Daniel Kahn Gillmor <firstname.lastname@example.org> sig! D21739E9 2012-10-13 Daniel Kahn Gillmor <email@example.com> rev! 5F2E4935 2012-11-17 Jamie McClelland <firstname.lastname@example.org> 0 nat@pigtown:~$
This output has a bunch in it.
sig! means that
--check-sigs thinks this signature is valid. More specifically, its the "!" that signifies that.
The line that starts with
rev! for Jamie McClelland; that's a signature revocation made on on 2012-11-17. Because of the permanence of the OpenPGP keyserver data, the original signature that Jamie made remains on the key, however, you can see that the revocation happens two years after the signature, and with the same key (5F2E4935).
The other thing to observe here is that one of dkg's signatures has expired. That is signified by the "X" right before the key id. Notice that dkg later signed the service key again.
Of course your best bet for more and better info is
man 1 gpg, but I hope this is enough to get you started.