revoke-hostname function revokes wrong hostname user ID
It appears that the monkeysphere-server revoke-hostname function will occasionaly revoke the wrong hostname. I say occasionally, but it seems to be doing it pretty consistently for me at the moment:
servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net The following host key user ID will be revoked: ssh://servo.finestructure.net Are you sure you would like to revoke this user ID? (y/N) y gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA trust: ultimate validity: ultimate [ultimate] (1) ssh://localhost.localdomain [ultimate] (2). ssh://servo.finestructure.net [ revoked] (3) ssh://jamie.rollins [ revoked] (4) asdfsdflkjsdf [ revoked] (5) ssh://asdfsdlf.safsdf [ revoked] (6) ssh://bar.baz [ revoked] (7) ssh://foo.bar [ revoked] (8) ssh:// pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA trust: ultimate validity: ultimate [ultimate] (1)* ssh://localhost.localdomain [ultimate] (2). ssh://servo.finestructure.net [ revoked] (3) ssh://jamie.rollins [ revoked] (4) asdfsdflkjsdf [ revoked] (5) ssh://asdfsdlf.safsdf [ revoked] (6) ssh://bar.baz [ revoked] (7) ssh://foo.bar [ revoked] (8) ssh:// Please select the reason for the revocation: 0 = No reason specified 4 = User ID is no longer valid Q = Cancel (Probably you want to select 4 here) Enter an optional description; end it with an empty line: Reason for revocation: User ID is no longer valid Hostname removed by monkeysphere-server 2008-08-16T17:34:02 pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA trust: ultimate validity: ultimate [ revoked] (1) ssh://localhost.localdomain [ultimate] (2). ssh://servo.finestructure.net [ revoked] (3) ssh://jamie.rollins [ revoked] (4) asdfsdflkjsdf [ revoked] (5) ssh://asdfsdlf.safsdf [ revoked] (6) ssh://bar.baz [ revoked] (7) ssh://foo.bar [ revoked] (8) ssh:// gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u gpg: next trustdb check due at 2012-01-07 sec 1024R/9EEAC276 2008-07-10 Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276 uid ssh://servo.finestructure.net uid [ revoked] ssh://localhost.localdomain uid [ revoked] ssh://jamie.rollins uid [ revoked] asdfsdflkjsdf uid [ revoked] ssh://asdfsdlf.safsdf uid [ revoked] ssh://bar.baz uid [ revoked] ssh://foo.bar uid [ revoked] ssh:// NOTE: User ID revoked, but revokation not published. Run 'monkeysphere-server publish-key' to publish the revocation. servo:~ 0$
Clearly this is unacceptable. gpg does not let you specify a uid to revoke from the command line. The uid revocation can only be done through edit-key. We do edit-key scripting in other contexts, but to revoke a user id you have to specify the uid by "number". We currently try to guess the number from the ordering of the output of list-key. However, this output does not appear to coincide with the ordering in edit-key. I don't have a good solution or fix at the moment. Suggestions are most welcome. It may just require some trial and error with edit-key to come up with something workable.
This underlines the problem that gpg is currently not very well suited for manipulating gpg keyrings non-interactively. It's possible that I just haven't figured out how to do it yet, but it's not very clear if it is possible. It would be nice to have some alternate tools to use.
(from redmine: created on 2008-12-13, closed on 2009-07-14)