IAS Security Hero

How to revoke a GnuPG/PGP signature on a key.

As we build a larger and more robust web of trust with our GnuPG/PGP keyrings, we inevitably fall into the situation where we need to remove a trust relationship. If we no longer have the need for a GnuPG/PGP key, we should revoke it and spread around the revoked key. This way we protect others by saying, we no longer represent the email addresses in this key, we aren't going to use it anymore. If anyone does use the key, it is a mistake or malicious.

Unfortunately, we are sometimes met with a situation where the person who no longer represents the email address in the key can't or won't revoke the key. This poses an issue if you have signed their key, because without revoking the key, it remains valid. And the valid key has your signature on it.

In this situation, you can revoke your signature on the key. This way, it let's others know who download or update the key, that you no longer trust the validity of the key.

Revoking a signature on a key with the commandline gpg utility is fairly straightforward. For this example, we use the "edit" function. This function requires a key. Here I'm using the hex key 0xDEADBEEF. You could also specify an email address like jdoe@ias.edu.

$ gpg --edit-key DEADBEEF
pub  1024D/DEADBEEF  created: 2006-10-13  expires: 2011-10-12  usage: SCA 
                     trust: unknown       validity: full
sub  2048g/BEEFCAFE  created: 2006-10-13  expires: 2011-10-12  usage: E   
[  full  ] (1). John Doe <jdoe@ias.edu>

Command> revsig
You have signed these user IDs on key DEADBEEF:
     John Doe <jdoe@ias.edu>
   signed by your key 0371C12A on 2006-10-16
   signed by your key 0371C12A on 2006-10-13

user ID: "John Doe <jdoe@ias.edu>"
signed by your key 0371C12A on 2006-10-16
Create a revocation certificate for this signature? (y/N) y
user ID: "John Doe <jdoe@ias.edu>"
signed by your key 0371C12A on 2006-10-13
Create a revocation certificate for this signature? (y/N) y
You are about to revoke these signatures:
     John Doe <jdoe@ias.edu>
   signed by your key 0371C12A on 2006-10-16
   signed by your key 0371C12A on 2006-10-13
Really create the revocation certificates? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  4 = User ID is no longer valid
  Q = Cancel
Your decision? 4
Enter an optional description; end it with an empty line:
> As of 2010-05-18 16:00 US/Eastern, jdoe@ias.edu is no longer a valid address and John Doe no longer represents IAS.
> 
Reason for revocation: User ID is no longer valid
As of 2010-05-18 16:00 US/Eastern, jdoe@ias.edu is no longer a valid address and John Doe no longer represents IAS.
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Brian Epstein <bepstein@ias.edu>"
1024-bit DSA key, ID 0371C12A, created 2006-09-22
pub  1024D/DEADBEEF  created: 2006-10-13  expires: 2011-10-12  usage: SCA 
                     trust: unknown       validity: full
sub  2048g/BEEFCAFE  created: 2006-10-13  expires: 2011-10-12  usage: E   
[  full  ] (1). John Doe <jdoe@ias.edu>
Command> save
$

You can do this in the same way on a Windows or Macintosh. Just find your command line version of gpg and use the above instructions. On Windows, you can find it here:

C:\Program Files\GNU\GnuPG\gpg2.exe

Once you have revoked your signature on the key, make sure to distribute the newly revoked signature to other people and/or keyservers.

$ gpg --send-key DEADBEEF

And then pull down the latest copy to see everyone else's signatures/revocations.

$ gpg --recv-key DEADBEEF
$ gpg --list-sigs DEADBEEF