--- /dev/null
+[[meta title="revoke-hostname function revokes wrong hostname user ID"]]
+
+It appears that the monkeysphere-server revoke-hostname function will
+occasionaly revoke the wrong hostname. I say occasionally, but it
+seems to be doing it pretty consistently for me at the moment:
+
+ servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net
+ The following host key user ID will be revoked:
+ ssh://servo.finestructure.net
+ Are you sure you would like to revoke this user ID? (y/N) y
+ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+ Secret key is available.
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ultimate] (1) ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ultimate] (1)* ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+ Please select the reason for the revocation:
+ 0 = No reason specified
+ 4 = User ID is no longer valid
+ Q = Cancel
+ (Probably you want to select 4 here)
+ Enter an optional description; end it with an empty line:
+ Reason for revocation: User ID is no longer valid
+ Hostname removed by monkeysphere-server 2008-08-16T17:34:02
+
+ pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA
+ trust: ultimate validity: ultimate
+ [ revoked] (1) ssh://localhost.localdomain
+ [ultimate] (2). ssh://servo.finestructure.net
+ [ revoked] (3) ssh://jamie.rollins
+ [ revoked] (4) asdfsdflkjsdf
+ [ revoked] (5) ssh://asdfsdlf.safsdf
+ [ revoked] (6) ssh://bar.baz
+ [ revoked] (7) ssh://foo.bar
+ [ revoked] (8) ssh://
+
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
+ gpg: next trustdb check due at 2012-01-07
+ sec 1024R/9EEAC276 2008-07-10
+ Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276
+ uid ssh://servo.finestructure.net
+ uid [ revoked] ssh://localhost.localdomain
+ uid [ revoked] ssh://jamie.rollins
+ uid [ revoked] asdfsdflkjsdf
+ uid [ revoked] ssh://asdfsdlf.safsdf
+ uid [ revoked] ssh://bar.baz
+ uid [ revoked] ssh://foo.bar
+ uid [ revoked] ssh://
+
+ NOTE: User ID revoked, but revokation not published.
+ Run 'monkeysphere-server publish-key' to publish the revocation.
+ servo:~ 0$
+
+Clearly this is unacceptable. Because of more inadequacies in gpg,
+you can't specify a uid to revoke from the command line. The uid
+revokation requires an edit-key script, which we have used before, but
+you have to specify by "number" which uid to revoke. We currently try
+to guess the number from the ordering of the output of list-key. This
+however is not always accurate. I don't have a good solution for a
+fix at the moment. Suggestions are most welcome. It may just require
+some trial and error with edit-key to come up with something workable.
+
+This underlines the problem that gpg sucks ass as a tool for
+manipulating gpg keyrings non-interactively. This is a big problem.
+We need something better that we can use. I would gladly rewrite
+everything if there was a better tool out there, but I don't know of
+one.
+
+-- Big Jimmy.
projects / monkeysphere.git / commitdiff