a. You have a compromised GPG Key
b. A Revocation Certificate for the same key
c. You have published the GPG (Public) Key on KeyServers
Revoking a GPG key is a shared step for You as well as Receiver. You are responsible to share/publish the revoke cert which tells the world about the expired/revoked key and Receiver have to import the your revocation certificate to revoke the GPG key which they are using to communicate with you. If any step is miss, the KEY is not actually revoked.
Steps to Revoke GPG Key -
The revoke certificate is somewhat like below -
and this one when you list the same KEYID
This is a revocation certificate for the OpenPGP key:
pub ed25519 2023-03-29 [S]
873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87
uid dummy (this is gpg key) dummy@dummy.com
A revocation certificate is a kind of "kill switch" to publicly
declare that a key shall not anymore be used. It is not possible
to retract such a revocation certificate once it has been published.
Use it to revoke this key in case of a compromise or loss of
the secret key. However, if the secret key is still accessible,
it is better to generate a new revocation certificate and give
a reason for the revocation. For details see the description of
of the gpg command "--generate-revocation" in the GnuPG manual.
To avoid an accidental use of this file, a colon has been inserted
before the 5 dashes below. Remove this colon with a text editor
before importing and publishing this revocation certificate.
:-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate
iHgEIadcIDentaSTWo0TwrM0DnOiGFnpnNc00192jaaJPKQJbQIdAAAKCRDpnNc0
pq10d6OBAPyyyyy4nPDmWxxxxxxxCmaINiTd4SmEYRUHZy7CsuuuAQEA4PVVkCaE
vYgvdadadadaog/OiD0gkaRokaOgoYbewou2=
=5G/c
-----END PGP PUBLIC KEY BLOCK------ As the comment in Revocation cert, It is one way path, once revoked is Revoked.
- Remove the colon (:) as the instruction say and save it
- Import the Revocation Certificate to your KEY Ring
gpg --import REVOKE_CERT_FILE_NAME
- This will revoke the GPG Key locally
- Send the revoked Key to KeyServers
# Upload Public key on keyserver/s
gpg --keyserver hkps://keys.openpgp.org --send-key KEYID # or gpg --keyserver https://keyserver.ubuntu.com --send-key KEYID # or gpg --keyserver https://pgp.mit.edu --send-key KEYID
- Your part is done, Next step is for Receiver, they have to re-sync the revoked KEY once again to revoke the locally stored GPG KEY, which can be done via -
# Import from Keyserver gpg --keyserver https://keys.openpgp.com --recv-keys KEYID
# or gpg --keyserver https://keyserver.ubuntu.org --recv-keys KEYID
# or
gpg --keyserver https://pgp.mit.edu --recv-keys KEYID - You will see below output when you import the revocation certs -
❯ gpg --import ~/.gnupg/openpgp-revocs.d/873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87.rev gpg: key E99CD734A6PPF87: "dummy (this is gpg key) dummy@dummy.com" revocation certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2024-09-05
❯ gpg --list-keys 873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87
pub ed25519 2023-03-29 [SC] [revoked: 2023-03-29]
873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87
uid [ revoked] dummy (this is gpg key) dummy@dummy.comKeep in mind that the GPG key that has been sent to the key server cannot be deleted, It will still be listed indefinitely. You only can revoke your public key and notify other users that this key is no longer useful so that they can re-sync your key from the KEYServers.
Like the below page to get the update
Facebook Page Facebook Group Twitter Feed Telegram Group
Facebook Page Facebook Group Twitter Feed Telegram Group
No comments:
Post a Comment