Revocation by using Revocation Certificate?
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
Hi,
I'm using Enigmail 1.9.1.
I want to revoke my key with an earlier generated revocation certificate.
I'm still in the possession of my keypair and can see it in the list at the key management.
But after I open the revocation certificate by clicking on "file"->"import keys from file" nothing happens. I can choose the certificate and click on open and the dialog closes. But I can't see anything new on my key overview and my key also isn't revoked. Am I missing something?
Is there an extra step neccessary to use my revocation certificate and how can I do this?
I looked for it for quite a while now on the internet, but the only thing I found was to import the certificate with the import-option and no further instructions, so I hope someone of you can help. I tried the "reload key cache"-option, but nothing changed.
Does the revocation become visible if you do a "Reload key cache" in Enigmail KeyManager's File Menu? On public servers, your key only gets revoked if you upload the revoked key to a server.
No, nothing changes after the reloading. I'm pretty sure the key isn't revoked at all, not even on my system. The name of the key is not greyed out or something in the list.
Is it really sufficient to just import the revocation certificate and doing nothing else? After I choose it and click "open" the dialog just closes and I don't get a message that my key is revoked or a warning that this is a permanent thing or something like that.
Hi, which version of GnuPG are you using? Newer versions generate an unusable revocation certificate to prevent accidential revocations. Just open it with a text-editor and have a look, it is mentioned in the header:
If this is the case, then importing it with Enigmail will fail silently - it will simply not detect the ASCII-armor because of this colon.
Last edit: Ludwig Hügelschäfer 2016-03-30
Oh well, this is only half of the truth. There is actually a bug which hinders an effective import even of a "activated" revocation certificate. It was introduced with the new "preview" of imported files.
Last edit: Ludwig Hügelschäfer 2016-03-30
I'm using Enigmail 1.9.1.
When I open my revocation certificate (the ...rev.asc-file) in a text editor, it starts directly with:
"-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
Comment: A revocation certificate should follow". Then there's the certificate and
"-----END PGP PUBLIC KEY BLOCK-----" at the end.
So as far as I understand this is already the usable certificate?
Is the failing at the import the bug that you mentioned? So is there no way to revoke my key with this certificate over enigmial?
Edit: Sorry, I forgot to mention my GPG-version. It's 2.0.28.
Last edit: efunc 2016-03-31
Yes, that looks like a directly usable revocation certificate. The problem is Enigmail - you cannot import it right now because of bug 590 in 1.9 and 1.9.1. If you downgrade to 1.8.2, an import should be possible. You can also import it on the command line using the following command:
Hope that helps.
Thank you. I used the gpg2 command and it worked.
Hello,
I still have troubles importing a revocation certificate via Thunderbird (enigmail 2.1.6)
with gpg2 --import it works well.
I want all my users to revoke a certain public key. I cannot ask them to save the attachment, and use this command (far too complicated).
They should be able to right-click the attachment, and import the key -> hence revoke the key.
I'm using TB latest (68.7) and enigmail latest 2.1.6 march 30, 2020.
The revokation certificate is valid (no double-colon), and also created in TB/enigmail.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate
xxxxxxxxxxx=
=xxxx
-----END PGP PUBLIC KEY BLOCK-----
I don't think that this will work. You should send the complete key that you revoked (using the attach key function) and ask the users to import the key.
thanks, this works.
I was under the impression that previously, I could send the revokation certificate only, to be imported by other users.
But sending the revoked public key works just as well.