1 [[!meta title="revoke-hostname function revokes wrong hostname user ID"]]
3 It appears that the monkeysphere-server revoke-hostname function will
4 occasionaly revoke the wrong hostname. I say occasionally, but it
5 seems to be doing it pretty consistently for me at the moment:
7 servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
8 The following host key user ID will be revoked:
9 ssh://servo.finestructure.net
10 Are you sure you would like to revoke this user ID? (y/N) y
11 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
12 This is free software: you are free to change and redistribute it.
13 There is NO WARRANTY, to the extent permitted by law.
15 Secret key is available.
17 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
18 trust: ultimate validity: ultimate
19 [ultimate] (1) ssh://localhost.localdomain
20 [ultimate] (2). ssh://servo.finestructure.net
21 [ revoked] (3) ssh://jamie.rollins
22 [ revoked] (4) asdfsdflkjsdf
23 [ revoked] (5) ssh://asdfsdlf.safsdf
24 [ revoked] (6) ssh://bar.baz
25 [ revoked] (7) ssh://foo.bar
29 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
30 trust: ultimate validity: ultimate
31 [ultimate] (1)* ssh://localhost.localdomain
32 [ultimate] (2). ssh://servo.finestructure.net
33 [ revoked] (3) ssh://jamie.rollins
34 [ revoked] (4) asdfsdflkjsdf
35 [ revoked] (5) ssh://asdfsdlf.safsdf
36 [ revoked] (6) ssh://bar.baz
37 [ revoked] (7) ssh://foo.bar
40 Please select the reason for the revocation:
41 0 = No reason specified
42 4 = User ID is no longer valid
44 (Probably you want to select 4 here)
45 Enter an optional description; end it with an empty line:
46 Reason for revocation: User ID is no longer valid
47 Hostname removed by monkeysphere-server 2008-08-16T17:34:02
49 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
50 trust: ultimate validity: ultimate
51 [ revoked] (1) ssh://localhost.localdomain
52 [ultimate] (2). ssh://servo.finestructure.net
53 [ revoked] (3) ssh://jamie.rollins
54 [ revoked] (4) asdfsdflkjsdf
55 [ revoked] (5) ssh://asdfsdlf.safsdf
56 [ revoked] (6) ssh://bar.baz
57 [ revoked] (7) ssh://foo.bar
60 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
61 gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
62 gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
63 gpg: next trustdb check due at 2012-01-07
64 sec 1024R/9EEAC276 2008-07-10
65 Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276
66 uid ssh://servo.finestructure.net
67 uid [ revoked] ssh://localhost.localdomain
68 uid [ revoked] ssh://jamie.rollins
69 uid [ revoked] asdfsdflkjsdf
70 uid [ revoked] ssh://asdfsdlf.safsdf
71 uid [ revoked] ssh://bar.baz
72 uid [ revoked] ssh://foo.bar
75 NOTE: User ID revoked, but revokation not published.
76 Run 'monkeysphere-server publish-key' to publish the revocation.
79 Clearly this is unacceptable. gpg does not let you can't specify a
80 uid to revoke from the command line. The uid revokation can only be
81 done through edit-key. We do edit-key scripting in other contexts,
82 but to revoke a user id you have to specify the uid by "number". We
83 currently try to guess the number from the ordering of the output of
84 list-key. However, this output does not appear to coincide with the
85 ordering in edit-key. I don't have a good solution or fix at the
86 moment. Suggestions are most welcome. It may just require some trial
87 and error with edit-key to come up with something workable.
89 This underlines the problem that gpg is currently not very well suited
90 for manipulating gpg keyrings non-interactively. It's possible that I
91 just haven't figured out how to do it yet, but it's not very clear if
92 it is possible. It would be nice to have some alternate tools to use.