[Bug 5649] New: gpg should handle revoked keys more gracefully

mercurial-bugs at mercurial-scm.org mercurial-bugs at mercurial-scm.org
Mon Aug 7 14:40:59 UTC 2017 

https://bz.mercurial-scm.org/show_bug.cgi?id=5649

            Bug ID: 5649
           Summary: gpg should handle revoked keys more gracefully
           Product: Mercurial
           Version: 4.1.3
          Hardware: PC
                OS: Other
            Status: UNCONFIRMED
          Severity: feature
          Priority: wish
         Component: gpg
          Assignee: bugzilla at mercurial-scm.org
          Reporter: jeffpc at josefsipek.net
                CC: mercurial-devel at mercurial-scm.org

gpg lets you have multiple subkeys.  This lets people use a subkey for signing
commits, and a different subkey for encrypting emails, etc.  Each subkey can be
revoked.  I'm not sure if subkeys are a necessary part for this, but I suspect
they are not.

The hg gpg extension doesn't differentiate between:

(1) unsigned commit
(2) signed commit with a revoked key

For example:

$ gpg2 --gen-key 
...
$ gpg2 --edit-key test
> addkey
...
pub  2048R/B53D3C4C  created: 2017-08-07  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/AC64D35C  created: 2017-08-07  expires: never       usage: E   
sub  2048R/DDD9A222  created: 2017-08-07  expires: never       usage: S   
> save
$ hg init
$ echo test > test
$ hg add test 
$ hg commit -m "abc"
$ hg sign -u ddd9a222
signing 0:f67953b995b0
$ hg sigcheck 0
f67953b995b0 is signed by:
 test test
$ hg sigs
test test                          0:f67953b995b0f18308bc294cfdcd07b4852f7cdf
$ gpg2 --edit-key test
> key 2
> revkey
...
pub  2048R/B53D3C4C  created: 2017-08-07  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/AC64D35C  created: 2017-08-07  expires: never       usage: E   
The following key was revoked on 2017-08-07 by RSA key B53D3C4C test test
sub  2048R/DDD9A222  created: 2017-08-07  revoked: 2017-08-07  usage: S   
[ultimate] (1). test test
> save
$ hg sigcheck 0
no valid signature for f67953b995b0
$ hg sigs      
$

I am *not* a security expert, but from usability standpoint, I'd expect hg to
tell me that the signature is valid but that the (sub)key has been
revoked/expired.  Ideally, it could also print the reason the key was revoked.

Note that there are several reasons a subkey can be revoked.  gpg2 suggests:

  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list