[[!meta title="revoke-hostname function revokes wrong hostname user ID"]]
It appears that the monkeysphere-server revoke-hostname function will
occasionaly revoke the wrong hostname. I say occasionally, but it
seems to be doing it pretty consistently for me at the moment:
servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
The following host key user ID will be revoked:
ssh://servo.finestructure.net
Are you sure you would like to revoke this user ID? (y/N) y
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
trust: ultimate validity: ultimate
[ultimate] (1) ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3) ssh://jamie.rollins
[ revoked] (4) asdfsdflkjsdf
[ revoked] (5) ssh://asdfsdlf.safsdf
[ revoked] (6) ssh://bar.baz
[ revoked] (7) ssh://foo.bar
[ revoked] (8) ssh://
pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
trust: ultimate validity: ultimate
[ultimate] (1)* ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3) ssh://jamie.rollins
[ revoked] (4) asdfsdflkjsdf
[ revoked] (5) ssh://asdfsdlf.safsdf
[ revoked] (6) ssh://bar.baz
[ revoked] (7) ssh://foo.bar
[ revoked] (8) ssh://
Please select the reason for the revocation:
0 = No reason specified
4 = User ID is no longer valid
Q = Cancel
(Probably you want to select 4 here)
Enter an optional description; end it with an empty line:
Reason for revocation: User ID is no longer valid
Hostname removed by monkeysphere-server 2008-08-16T17:34:02
pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
trust: ultimate validity: ultimate
[ revoked] (1) ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3) ssh://jamie.rollins
[ revoked] (4) asdfsdflkjsdf
[ revoked] (5) ssh://asdfsdlf.safsdf
[ revoked] (6) ssh://bar.baz
[ revoked] (7) ssh://foo.bar
[ revoked] (8) ssh://
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2012-01-07
sec 1024R/9EEAC276 2008-07-10
Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276
uid ssh://servo.finestructure.net
uid [ revoked] ssh://localhost.localdomain
uid [ revoked] ssh://jamie.rollins
uid [ revoked] asdfsdflkjsdf
uid [ revoked] ssh://asdfsdlf.safsdf
uid [ revoked] ssh://bar.baz
uid [ revoked] ssh://foo.bar
uid [ revoked] ssh://
NOTE: User ID revoked, but revokation not published.
Run 'monkeysphere-server publish-key' to publish the revocation.
servo:~ 0$
Clearly this is unacceptable. gpg does not let you can't specify a
uid to revoke from the command line. The uid revokation can only be
done through edit-key. We do edit-key scripting in other contexts,
but to revoke a user id you have to specify the uid by "number". We
currently try to guess the number from the ordering of the output of
list-key. However, this output does not appear to coincide with the
ordering in edit-key. I don't have a good solution or fix at the
moment. Suggestions are most welcome. It may just require some trial
and error with edit-key to come up with something workable.
This underlines the problem that gpg is currently not very well suited
for manipulating gpg keyrings non-interactively. It's possible that I
just haven't figured out how to do it yet, but it's not very clear if
it is possible. It would be nice to have some alternate tools to use.
-- Big Jimmy.
