Revoke GPG Trustee's Primary Key
When your correspondent trustee contacted you for removing his/her primary key due to unforeseen reason and he/she added you as a revoker trustee, you need to revoke his/her key on behalf. This section guides you on how to revoke a trustee's primary key.
WARNING: Your correspondent trustee trusted you for a reason. Hence, DO NOT DO THIS DELIBERATELY.Preparations
There are steps to prepare before executing the revoke.
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascImport Revoker's Public Key
You need to import your trustee's public key in order to perform a proper revocation. To ensure the public key is in your keyring, use --list-key --keyid-format LONG argument and find his/her email. Example:
$ gpg --list-key --keyid-format LONG...---------------------------------pub rsa4096/DFF009F42B8F65F1 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>sub rsa4096/E0F5C6ECC87BF4FB 2018-09-23 [E]sub rsa4096/226B3ACC3859EF97 2018-09-23 [E]sub rsa4096/DFF009F42B8F65F1 2018-09-23 [S]Creating Revoke Certificate
Once done, it's time to revoke the primary key by creating the revoke certificate.
Identify Trustee's Key ID
We start off by obtaining your primary key ID and the targeted subkey. This is by using the following command and find your key:
gpg --list-keysExample:
$ gpg --list-keys...---------------------------pub rsa4096/DFF009F42B8F65F1 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>sub rsa4096/E0F5C6ECC87BF4FB 2018-09-23 [E]sub rsa4096/226B3ACC3859EF97 2018-09-23 [E]sub rsa4096/DFF009F42B8F65F1 2018-09-23 [S]In the example above:
- The primary key ID is:
DFF009F42B8F65F1.
Create Certificate
With the key ID identified, it's time to create the revoke certificate. Use the following command:
$ gpg --desig-revoke <trustee's key-ID> > revoke.ascFrom the example above, it is:
$ gpg --desig-revoke DFF009F42B8F65F1 > revoke.ascYou will be presented with the gpg key editor's main menu. Please answer them accordingly as the public and trustees will read the certificate for why your primary key is being revoked. Throughout the process, you may be asked for passphrase authentication. The output looks something like:
$ gpg --desig-revoke 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9 > revoke.ascpub rsa4096/445AC05FC0F56EA9 2018-09-23 Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>To be revoked by:sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 "Shotgun" John, Smith (Main ID) <john.smith@email.com>Create a designated revocation certificate for this key? (y/N) yPlease select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel(Probably you want to select 1 here)Your decision? 1Enter an optional description; end it with an empty line:> key was compromised and unrecoverable.> Reason for revocation: Key has been compromisedkey was compromised and unrecoverable.Is this okay? (y/N) yASCII armored output forced.Revocation certificate created.Import Certificate
Once you're done, proceed to import that revocation certificate with --import <file> argument.
$ gpg --import <path/to/cert>Based on the example, it should be:
$ gpg --import revoke.ascCheck The Revocation
You can check the key again using --list-keys. You should see that the key is now revoked:
$ gpg --list-keys...---------------------------------pub rsa4096 2018-09-23 [SC] [revoked: 2020-01-13] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ revoked] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>Distribute The Primary Key On Behalf
With the trustee's primary key got revoked, under your trustee's permission, you may distribute on behalf. The distribution is outside of this section's scope. Please refers to "Distribute" in the index section.
That's all for revoking a trustee's GPG primary key.