summaryrefslogtreecommitdiff
path: root/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn
blob: f785a9d2f0cec480c63d2e792e31e3356e9855bb (plain)

[[meta title="revoke-hostname function revokes wrong hostname user ID"]]

It appears that the monkeysphere-server revoke-hostname function will occasionaly revoke the wrong hostname. I say occasionally, but it seems to be doing it pretty consistently for me at the moment:

servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
The following host key user ID will be revoked:
  ssh://servo.finestructure.net
Are you sure you would like to revoke this user ID? (y/N) y
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024R/9EEAC276  created: 2008-07-10  expires: never       usage: CA  
                     trust: ultimate      validity: ultimate
[ultimate] (1)  ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3)  ssh://jamie.rollins
[ revoked] (4)  asdfsdflkjsdf
[ revoked] (5)  ssh://asdfsdlf.safsdf
[ revoked] (6)  ssh://bar.baz
[ revoked] (7)  ssh://foo.bar
[ revoked] (8)  ssh://


pub  1024R/9EEAC276  created: 2008-07-10  expires: never       usage: CA  
                     trust: ultimate      validity: ultimate
[ultimate] (1)* ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3)  ssh://jamie.rollins
[ revoked] (4)  asdfsdflkjsdf
[ revoked] (5)  ssh://asdfsdlf.safsdf
[ revoked] (6)  ssh://bar.baz
[ revoked] (7)  ssh://foo.bar
[ revoked] (8)  ssh://

Please select the reason for the revocation:
  0 = No reason specified
  4 = User ID is no longer valid
  Q = Cancel
(Probably you want to select 4 here)
Enter an optional description; end it with an empty line:
Reason for revocation: User ID is no longer valid
Hostname removed by monkeysphere-server 2008-08-16T17:34:02

pub  1024R/9EEAC276  created: 2008-07-10  expires: never       usage: CA  
                     trust: ultimate      validity: ultimate
[ revoked] (1)  ssh://localhost.localdomain
[ultimate] (2). ssh://servo.finestructure.net
[ revoked] (3)  ssh://jamie.rollins
[ revoked] (4)  asdfsdflkjsdf
[ revoked] (5)  ssh://asdfsdlf.safsdf
[ revoked] (6)  ssh://bar.baz
[ revoked] (7)  ssh://foo.bar
[ revoked] (8)  ssh://

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2012-01-07
sec   1024R/9EEAC276 2008-07-10
      Key fingerprint = C094 43E0 6882 8BE2 E9AD  516C 45CF 974D 9EEA C276
uid                  ssh://servo.finestructure.net
uid       [ revoked] ssh://localhost.localdomain
uid       [ revoked] ssh://jamie.rollins
uid       [ revoked] asdfsdflkjsdf
uid       [ revoked] ssh://asdfsdlf.safsdf
uid       [ revoked] ssh://bar.baz
uid       [ revoked] ssh://foo.bar
uid       [ revoked] ssh://

NOTE: User ID revoked, but revokation not published.
Run 'monkeysphere-server publish-key' to publish the revocation.
servo:~ 0$ 

Clearly this is unacceptable. gpg does not let you can't specify a uid to revoke from the command line. The uid revokation can only be done through edit-key. We do edit-key scripting in other contexts, but to revoke a user id you have to specify the uid by "number". We currently try to guess the number from the ordering of the output of list-key. However, this output does not appear to coincide with the ordering in edit-key. I don't have a good solution or fix at the moment. Suggestions are most welcome. It may just require some trial and error with edit-key to come up with something workable.

This underlines the problem that gpg is currently not very well suited for manipulating gpg keyrings non-interactively. It's possible that I just haven't figured out how to do it yet, but it's not very clear if it is possible. It would be nice to have some alternate tools to use.

-- Big Jimmy.