1 [[meta title="revoke-hostname function revokes wrong hostname user ID"]]
3 It appears that the monkeysphere-server revoke-hostname function will
4 occasionaly revoke the wrong hostname. I say occasionally, but it
5 seems to be doing it pretty consistently for me at the moment:
7 servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
8 The following host key user ID will be revoked:
9 ssh://servo.finestructure.net
10 Are you sure you would like to revoke this user ID? (y/N) y
11 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
12 This is free software: you are free to change and redistribute it.
13 There is NO WARRANTY, to the extent permitted by law.
15 Secret key is available.
17 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
18 trust: ultimate validity: ultimate
19 [ultimate] (1) ssh://localhost.localdomain
20 [ultimate] (2). ssh://servo.finestructure.net
21 [ revoked] (3) ssh://jamie.rollins
22 [ revoked] (4) asdfsdflkjsdf
23 [ revoked] (5) ssh://asdfsdlf.safsdf
24 [ revoked] (6) ssh://bar.baz
25 [ revoked] (7) ssh://foo.bar
29 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
30 trust: ultimate validity: ultimate
31 [ultimate] (1)* ssh://localhost.localdomain
32 [ultimate] (2). ssh://servo.finestructure.net
33 [ revoked] (3) ssh://jamie.rollins
34 [ revoked] (4) asdfsdflkjsdf
35 [ revoked] (5) ssh://asdfsdlf.safsdf
36 [ revoked] (6) ssh://bar.baz
37 [ revoked] (7) ssh://foo.bar
40 Please select the reason for the revocation:
41 0 = No reason specified
42 4 = User ID is no longer valid
44 (Probably you want to select 4 here)
45 Enter an optional description; end it with an empty line:
46 Reason for revocation: User ID is no longer valid
47 Hostname removed by monkeysphere-server 2008-08-16T17:34:02
49 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
50 trust: ultimate validity: ultimate
51 [ revoked] (1) ssh://localhost.localdomain
52 [ultimate] (2). ssh://servo.finestructure.net
53 [ revoked] (3) ssh://jamie.rollins
54 [ revoked] (4) asdfsdflkjsdf
55 [ revoked] (5) ssh://asdfsdlf.safsdf
56 [ revoked] (6) ssh://bar.baz
57 [ revoked] (7) ssh://foo.bar
60 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
61 gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
62 gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
63 gpg: next trustdb check due at 2012-01-07
64 sec 1024R/9EEAC276 2008-07-10
65 Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276
66 uid ssh://servo.finestructure.net
67 uid [ revoked] ssh://localhost.localdomain
68 uid [ revoked] ssh://jamie.rollins
69 uid [ revoked] asdfsdflkjsdf
70 uid [ revoked] ssh://asdfsdlf.safsdf
71 uid [ revoked] ssh://bar.baz
72 uid [ revoked] ssh://foo.bar
75 NOTE: User ID revoked, but revokation not published.
76 Run 'monkeysphere-server publish-key' to publish the revocation.
79 Clearly this is unacceptable. Because of more inadequacies in gpg,
80 you can't specify a uid to revoke from the command line. The uid
81 revokation requires an edit-key script, which we have used before, but
82 you have to specify by "number" which uid to revoke. We currently try
83 to guess the number from the ordering of the output of list-key. This
84 however is not always accurate. I don't have a good solution for a
85 fix at the moment. Suggestions are most welcome. It may just require
86 some trial and error with edit-key to come up with something workable.
88 This underlines the problem that gpg sucks ass as a tool for
89 manipulating gpg keyrings non-interactively. This is a big problem.
90 We need something better that we can use. I would gladly rewrite
91 everything if there was a better tool out there, but I don't know of