Today, I was responding to an issue on Mayfirst's issue tracker, involving the ssh key for a decommissioned server having never been revoked (and thus still active in the monkeysphere). Since the ticket had languished without followup for two years, I wanted to see if the work had been done, and just not commented on, so I went to check for revocations. There was only one problem — I rarely do that and realized that the process wasn't clear in my mind.

A little bit of searching on the Internet turned up descriptions and howtos about creating and publishing revocation certificates. Also, many layers of links back to some version of the GPG manual. Read up there for background on key and signature revocation.

To fill the lazy search void that I found, here is a quick and dirty guide to determining revoked keys and signatures.

Checking for key revocation

To get information about a key in your keyring, first make sure you have it your keyring with gpg --search or gpg --recv-key (eg: gpg --search "ssh://"). You can follow along with my examples by pulling the User IDs I use in the examples into your local key ring.

If you already had the key in your keyring, now is a good time to refresh it. This will refresh it using the full key fingerprint.

0 nat@pigtown:~$ gpg --refresh-key  $(gpg --with-colons --fingerprint "ssh://" |grep fpr |cut -f10 -d ":")
gpg: refreshing 1 key from hkps://
gpg: requesting key 860E8F9C from hkps server
gpg: key 860E8F9C: "ssh://" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

0 nat@pigtown:~$

Now, to actually check the key, use gpg --list-key. This is what a non-revoked key will look like:

0 nat@pigtown:~$ gpg --list-key  $(gpg --with-colons --fingerprint "ssh://" |grep fpr |cut -f10 -d ":")
pub   2048R/860E8F9C 2008-10-29 [expires: 2014-09-25]
uid                  ssh://
uid                  ssh://

0 nat@pigtown:~$

And this is what a revoked key will look like:

0 nat@pigtown:~$ gpg --list-key $(gpg --with-colons --fingerprint "ssh://" |grep fpr |cut -f10 -d ":")
pub   2048R/AE2C8DE3 2010-09-10 [revoked: 2011-10-30]
uid                  ssh://

0 nat@pigtown:~$

Observe the "revoked" in the pub line there, compared to the expiration date in the example above. You can probably guess what that changes to when a key expires.

Checking for signature revocation (and expiration)

To get information about published signatures on a key, use gpg --check-sigs. Here's what that looks like:

0 nat@pigtown:~$ gpg --check-sigs $(gpg --with-colons --fingerprint "ssh://" |grep fpr |cut -f10 -d ":")
pub   2048R/EF945F28 2010-08-27
uid                  ssh://
sig!3        EF945F28 2010-08-27  ssh://
sig!         E3D30824 2011-01-27  Greg Lyle <>
sig!         5F2E4935 2010-08-27  Jamie McClelland <>
sig!      X  D21739E9 2011-01-27  Daniel Kahn Gillmor <>
sig!         D21739E9 2012-10-13  Daniel Kahn Gillmor <>
rev!         5F2E4935 2012-11-17  Jamie McClelland <>

0 nat@pigtown:~$

This output has a bunch in it. sig! means that --check-sigs thinks this signature is valid. More specifically, its the "!" that signifies that.

The line that starts with rev! for Jamie McClelland; that's a signature revocation made on on 2012-11-17. Because of the permanence of the OpenPGP keyserver data, the original signature that Jamie made remains on the key, however, you can see that the revocation happens two years after the signature, and with the same key (5F2E4935).

The other thing to observe here is that one of dkg's signatures has expired. That is signified by the "X" right before the key id. Notice that dkg later signed the service key again.

Of course your best bet for more and better info is man 1 gpg, but I hope this is enough to get you started.