Don't show the option to sign revoked subkeys

I can't think of a reason someone would want to sign a revoked subkey, so the option to sign them shouldn't be shown in the CLI or GUI interfaces.

Possibly the same should apply to expired keys.

there has been numerous issues and discussions about issues similar to this, both in this bugtracker and the debian bugtracker, see #36 (closed) or #33 (closed) for an example, but there are more like this in the Debian BTS.

could you clarify which version is affected and show the actual and expected output? there has been some extensive work to fix stuff like this in 2.1 and later.

also, as far as I understand this, we (GPG/monkeysign) don't sign subkeys but user ids (UIDs). i wonder if you really mean "revoked subkeys" or rather "revoked UIDs".

if we still offer those keys for signing, it's obviously a bug.

thanks for clarifying.

Status changed to closed

Added Priority: high Testing bug moreinfo labels

Milestone changed to %Monkeysign 2.2.2

I'm on the 2.x branch. As far as I can tell, revoked UIDs are still available for signing. for example:

simonft@goldman ~/monkeysign (2.x)> scripts/monkeysign 7B75921E --dry-run
Preparing to sign with this key

pub  [ultimate] 2048R/CB451C08 1381157046
    Fingerprint = 1D27 1007 48FE DFF4 FEA4  61EF FE09 EF3E CB45 1C08
uid 1      [ultimate] Simon Fondrie-Teitler <simon@noom.com>
sub   2048R/314F1C2C 1381157046

Signing the following key

pub  [unknown] 4096R/7B75921E 1243621534 [expiry: 2017-06-01 18:59:33]
    Fingerprint = 8DC9 01CE 6414 6C04 8AD5  0FBB 7921 5252 7B75 921E
uid 1      [unknown] Antoine Beaupré <anarcat@orangeseeds.org>
uid 2      [revoked] Antoine Beaupré (work) <anarcat@koumbit.org>
uid 3      [revoked] Antoine Beaupré (home address) <anarcat@anarcat.ath.cx>
uid 4      [revoked] Antoine Beaupré (Debian) <anarcat@debian.org>
uid 5      [unknown] Antoine Beaupré <anarcat@debian.org>
uid 6      [unknown] Antoine Beaupré <anarcat@koumbit.org>
sub   2048R/EE02855A 1342743455
sub   2048R/D2DF2587 1342619928
sub   4096R/9C5A5581 1243622183 [expiry: 2017-06-01 19:00:23]
sub   2048R/AFD0FDF8 1343152615


Sign all identities? [y/N] 
Choose the identity to sign (1-6 or full UID, control-c to abort): 

Instead of seeing UIDs 2-4, I think it should just show:

uid 1      [unknown] Antoine Beaupré <anarcat@orangeseeds.org>
uid 2      [unknown] Antoine Beaupré <anarcat@debian.org>
uid 3      [unknown] Antoine Beaupré <anarcat@koumbit.org>

crap, that looks like your right, of course. if you want to tackle this, look into the UID chosing mechanics in ui.py around line 575. this is the generic UI item that calls the implementation specific (CLI/GTK) UID choosers. i think this is where those UIDs could be filtered. note that there's already some UID cleanup code later in that file (see the cleanup_uids function), maybe that could be reimplemented as a more generic filter in the gpg.py Keyring class.

all this would probably then require unit tests in monkeysign/tests/gpg.py and monkeysign/tests/ui.py.

phew!

Status changed to reopened

Reassigned to @simonft

changed milestone to %Monkeysign 2.2.3

changed milestone to %Monkeysign 2.3.0