UGFja2FnZTogZ251cGcKVmVyc2lvbjogMi4yLjQ2LTUKU2V2ZXJpdHk6IG5vcm1hbApYLURlYmJ1 Z3MtQ2M6IHVrbGVpbmVrQGRlYmlhbi5vcmcKCkhlbGxvLAoKCXV3ZUB0YXVydXM6fiQga2V5cmlu Z2dwZ2hvbWU9IiQobWt0ZW1wIC1kKSIKCgl1d2VAdGF1cnVzOn4kIGdwZyAtLWhvbWVkaXIgIiRr ZXlyaW5nZ3BnaG9tZSIgLS1sb2NhdGUtZXh0ZXJuYWwta2V5IHRnYW1ibGluQGJheWxpYnJlLmNv bSB1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29tCglncGc6IGtleWJveCAnL3RtcC90bXAuVTVw TXVXTGFzZy9wdWJyaW5nLmtieCcgY3JlYXRlZAoJZ3BnOiAvdG1wL3RtcC5VNXBNdVdMYXNnL3Ry dXN0ZGIuZ3BnOiB0cnVzdGRiIGNyZWF0ZWQKCWdwZzoga2V5IEUyRENERDkxMzI2NjlCRDY6IHB1 YmxpYyBrZXkgIlV3ZSBLbGVpbmUtS8O2bmlnIDx1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29t PiIgaW1wb3J0ZWQKCWdwZzogVG90YWwgbnVtYmVyIHByb2Nlc3NlZDogMQoJZ3BnOiAgICAgICAg ICAgICAgIGltcG9ydGVkOiAxCglncGc6IG5vIHVsdGltYXRlbHkgdHJ1c3RlZCBrZXlzIGZvdW5k CglncGc6IGtleSBCMEQ1ODlENDY3MDhFQzk5OiBwdWJsaWMga2V5ICJUcmV2b3IgR2FtYmxpbiA8 dGdhbWJsaW5AYmF5bGlicmUuY29tPiIgaW1wb3J0ZWQKCWdwZzogVG90YWwgbnVtYmVyIHByb2Nl c3NlZDogMQoJZ3BnOiAgICAgICAgICAgICAgIGltcG9ydGVkOiAxCglncGc6IG5vIHVsdGltYXRl bHkgdHJ1c3RlZCBrZXlzIGZvdW5kCglwdWIgICByc2E0MDk2IDIwMTAtMDYtMTUgW1NDXSBbZXhw aXJlczogMjAyNy0wNi0yMV0KCSAgICAgIDBEMjUxMUYzMjJCRkFCMUMxNTgwMjY2QkUyRENERDkx MzI2NjlCRDYKCXVpZCAgICAgICAgICAgWyB1bmtub3duXSBVd2UgS2xlaW5lLUvDtm5pZyA8dS5r bGVpbmUta29lbmlnQGJheWxpYnJlLmNvbT4KCXN1YiAgIHJzYTIwNDggMjAyMy0wMy0xNyBbQV0g W2V4cGlyZXM6IDIwMjctMDYtMjFdCglzdWIgICByc2EyMDQ4IDIwMjMtMDMtMTcgW1NdIFtleHBp cmVzOiAyMDI3LTA2LTIxXQoJc3ViICAgcnNhMjA0OCAyMDIzLTAzLTE3IFtFXSBbZXhwaXJlczog MjAyNy0wNi0yMV0KCglwdWIgICByc2E0MDk2IDIwMjQtMTEtMTkgW0NdIFtleHBpcmVzOiAyMDI2 LTExLTE5XQoJICAgICAgQTNBOUQ0QkRBQjEwNjk4MTFGNDhEMzBFQjBENTg5RDQ2NzA4RUM5OQoJ dWlkICAgICAgICAgICBbIHVua25vd25dIFRyZXZvciBHYW1ibGluIDx0Z2FtYmxpbkBiYXlsaWJy ZS5jb20+CglzdWIgICBjdjI1NTE5IDIwMjQtMTEtMTkgW0VdCglzdWIgICBlZDI1NTE5IDIwMjQt MTEtMTkgW1NdCglzdWIgICBlZDI1NTE5IDIwMjQtMTEtMTkgW0FdCgoJdXdlQHRhdXJ1czp+JCBn cGcgLS1ob21lZGlyICIka2V5cmluZ2dwZ2hvbWUiIC0tbGlzdC1zaWdzIC0td2l0aC1jb2xvbiBF MkRDREQ5MTMyNjY5QkQ2IHwgZ3JlcCAtRSAnKF5wdWJ8XnVpZHxCMEQ1ODlENDY3MDhFQzk5KScK CXB1YjotOjQwOTY6MTpFMkRDREQ5MTMyNjY5QkQ2OjEyNzY2MTQ2OTQ6MTgxMzU3MjAwMDo6LTo6 OnNjRVNDQTo6Ojo6OjIzOjE3NDI1Nzg0MTA6NDoKCXVpZDotOjo6OjE3Mzk4ODc2NDY6OjdFMjE4 RjMxNTA0RTI4NkE4NTJDMkUwNTQ1OUJBMERDMjJGRjM0QUU6OlV3ZSBLbGVpbmUtS8O2bmlnIDx1 LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29tPjo6Ojo6Ojo6OjE3NDI1Nzg0MTA6NCBodHRwc1x4 M2EvL29wZW5wZ3BrZXkuYmF5bGlicmUuY29tOgoJc2lnOjo6MTpCMEQ1ODlENDY3MDhFQzk5OjE3 MzI4OTQ1MDk6Ojo6VHJldm9yIEdhbWJsaW4gPHRnYW1ibGluQGJheWxpYnJlLmNvbT46MTB4OjpB M0E5RDRCREFCMTA2OTgxMUY0OEQzMEVCMEQ1ODlENDY3MDhFQzk5Ojo6MTA6CgpTbyBteSBrZXkg RTJEQ0REOTEzMjY2OUJENiBoYXMgYSBzaWduYXR1cmUgYnkgVHJldm9yJ3Mga2V5LgoKCXV3ZUB0 YXVydXM6fiQgZ3BnIC0taG9tZWRpciAiJGtleXJpbmdncGdob21lIiAtLWVkaXQta2V5IEUyRENE RDkxMzI2NjlCRDYgY2xlYW4gc2F2ZQoJZ3BnIChHbnVQRykgMi4yLjQ2OyBDb3B5cmlnaHQgKEMp IDIwMjQgZzEwIENvZGUgR21iSAoJVGhpcyBpcyBmcmVlIHNvZnR3YXJlOiB5b3UgYXJlIGZyZWUg dG8gY2hhbmdlIGFuZCByZWRpc3RyaWJ1dGUgaXQuCglUaGVyZSBpcyBOTyBXQVJSQU5UWSwgdG8g dGhlIGV4dGVudCBwZXJtaXR0ZWQgYnkgbGF3LgoKCglwdWIgIHJzYTQwOTYvRTJEQ0REOTEzMjY2 OUJENgoJICAgICBjcmVhdGVkOiAyMDEwLTA2LTE1ICBleHBpcmVzOiAyMDI3LTA2LTIxICB1c2Fn ZTogU0MKCSAgICAgdHJ1c3Q6IHVua25vd24gICAgICAgdmFsaWRpdHk6IHVua25vd24KCVRoZSBm b2xsb3dpbmcga2V5IHdhcyByZXZva2VkIG9uIDIwMjMtMDMtMTcgYnkgUlNBIGtleSBFMkRDREQ5 MTMyNjY5QkQ2IFV3ZSBLbGVpbmUtS8O2bmlnIDx1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29t PgoJc3ViICByc2EyMDQ4L0RCMzM0RDlGQkU2QTA1QkYKCSAgICAgY3JlYXRlZDogMjAxNS0wMS0x MSAgcmV2b2tlZDogMjAyMy0wMy0xNyAgdXNhZ2U6IEEKCVRoZSBmb2xsb3dpbmcga2V5IHdhcyBy ZXZva2VkIG9uIDIwMTUtMDEtMTEgYnkgUlNBIGtleSBFMkRDREQ5MTMyNjY5QkQ2IFV3ZSBLbGVp bmUtS8O2bmlnIDx1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29tPgoJc3ViICByc2E0MDk2LzND M0EyRDI4Qjk0QTI5MjgKCSAgICAgY3JlYXRlZDogMjAxMC0wNi0xNSAgcmV2b2tlZDogMjAxNS0w MS0xMSAgdXNhZ2U6IEUKCVRoZSBmb2xsb3dpbmcga2V5IHdhcyByZXZva2VkIG9uIDIwMjMtMDMt MTcgYnkgUlNBIGtleSBFMkRDREQ5MTMyNjY5QkQ2IFV3ZSBLbGVpbmUtS8O2bmlnIDx1LmtsZWlu ZS1rb2VuaWdAYmF5bGlicmUuY29tPgoJc3ViICByc2EyMDQ4L0MxRkMxNDc4QURDQUVDMDkKCSAg ICAgY3JlYXRlZDogMjAxNS0wMS0xMSAgcmV2b2tlZDogMjAyMy0wMy0xNyAgdXNhZ2U6IFMKCXN1 YiAgcnNhMjA0OC9CMjlBNDMyODBBNkVGOTVCCgkgICAgIGNyZWF0ZWQ6IDIwMjMtMDMtMTcgIGV4 cGlyZXM6IDIwMjctMDYtMjEgIHVzYWdlOiBBCglzdWIgIHJzYTIwNDgvOEY4MEZCNTg3RDEyRkU0 RQoJICAgICBjcmVhdGVkOiAyMDIzLTAzLTE3ICBleHBpcmVzOiAyMDI3LTA2LTIxICB1c2FnZTog UwoJc3ViICByc2EyMDQ4LzEyMEU3NTY5OEU2NDkwOUIKCSAgICAgY3JlYXRlZDogMjAyMy0wMy0x NyAgZXhwaXJlczogMjAyNy0wNi0yMSAgdXNhZ2U6IEUKCVRoZSBmb2xsb3dpbmcga2V5IHdhcyBy ZXZva2VkIG9uIDIwMjMtMDMtMTcgYnkgUlNBIGtleSBFMkRDREQ5MTMyNjY5QkQ2IFV3ZSBLbGVp bmUtS8O2bmlnIDx1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29tPgoJc3ViICByc2EyMDQ4L0Yy RkY1NjZBNTdDOTFCQzcKCSAgICAgY3JlYXRlZDogMjAxNS0wMS0xMSAgcmV2b2tlZDogMjAyMy0w My0xNyAgdXNhZ2U6IEUKCVsgdW5rbm93bl0gKDEpLiBVd2UgS2xlaW5lLUvDtm5pZyA8dS5rbGVp bmUta29lbmlnQGJheWxpYnJlLmNvbT4KCglVc2VyIElEICJVd2UgS2xlaW5lLUvDtm5pZyA8dS5r bGVpbmUta29lbmlnQGJheWxpYnJlLmNvbT4iOiA3IHNpZ25hdHVyZXMgcmVtb3ZlZAoKCXB1YiAg cnNhNDA5Ni9FMkRDREQ5MTMyNjY5QkQ2CgkgICAgIGNyZWF0ZWQ6IDIwMTAtMDYtMTUgIGV4cGly ZXM6IDIwMjctMDYtMjEgIHVzYWdlOiBTQwoJICAgICB0cnVzdDogdW5rbm93biAgICAgICB2YWxp ZGl0eTogdW5rbm93bgoJVGhlIGZvbGxvd2luZyBrZXkgd2FzIHJldm9rZWQgb24gMjAyMy0wMy0x NyBieSBSU0Ega2V5IEUyRENERDkxMzI2NjlCRDYgVXdlIEtsZWluZS1Lw7ZuaWcgPHUua2xlaW5l LWtvZW5pZ0BiYXlsaWJyZS5jb20+CglzdWIgIHJzYTIwNDgvREIzMzREOUZCRTZBMDVCRgoJICAg ICBjcmVhdGVkOiAyMDE1LTAxLTExICByZXZva2VkOiAyMDIzLTAzLTE3ICB1c2FnZTogQQoJVGhl IGZvbGxvd2luZyBrZXkgd2FzIHJldm9rZWQgb24gMjAxNS0wMS0xMSBieSBSU0Ega2V5IEUyRENE RDkxMzI2NjlCRDYgVXdlIEtsZWluZS1Lw7ZuaWcgPHUua2xlaW5lLWtvZW5pZ0BiYXlsaWJyZS5j b20+CglzdWIgIHJzYTQwOTYvM0MzQTJEMjhCOTRBMjkyOAoJICAgICBjcmVhdGVkOiAyMDEwLTA2 LTE1ICByZXZva2VkOiAyMDE1LTAxLTExICB1c2FnZTogRQoJVGhlIGZvbGxvd2luZyBrZXkgd2Fz IHJldm9rZWQgb24gMjAyMy0wMy0xNyBieSBSU0Ega2V5IEUyRENERDkxMzI2NjlCRDYgVXdlIEts ZWluZS1Lw7ZuaWcgPHUua2xlaW5lLWtvZW5pZ0BiYXlsaWJyZS5jb20+CglzdWIgIHJzYTIwNDgv QzFGQzE0NzhBRENBRUMwOQoJICAgICBjcmVhdGVkOiAyMDE1LTAxLTExICByZXZva2VkOiAyMDIz LTAzLTE3ICB1c2FnZTogUwoJc3ViICByc2EyMDQ4L0IyOUE0MzI4MEE2RUY5NUIKCSAgICAgY3Jl YXRlZDogMjAyMy0wMy0xNyAgZXhwaXJlczogMjAyNy0wNi0yMSAgdXNhZ2U6IEEKCXN1YiAgcnNh MjA0OC84RjgwRkI1ODdEMTJGRTRFCgkgICAgIGNyZWF0ZWQ6IDIwMjMtMDMtMTcgIGV4cGlyZXM6 IDIwMjctMDYtMjEgIHVzYWdlOiBTCglzdWIgIHJzYTIwNDgvMTIwRTc1Njk4RTY0OTA5QgoJICAg ICBjcmVhdGVkOiAyMDIzLTAzLTE3ICBleHBpcmVzOiAyMDI3LTA2LTIxICB1c2FnZTogRQoJVGhl IGZvbGxvd2luZyBrZXkgd2FzIHJldm9rZWQgb24gMjAyMy0wMy0xNyBieSBSU0Ega2V5IEUyRENE RDkxMzI2NjlCRDYgVXdlIEtsZWluZS1Lw7ZuaWcgPHUua2xlaW5lLWtvZW5pZ0BiYXlsaWJyZS5j b20+CglzdWIgIHJzYTIwNDgvRjJGRjU2NkE1N0M5MUJDNwoJICAgICBjcmVhdGVkOiAyMDE1LTAx LTExICByZXZva2VkOiAyMDIzLTAzLTE3ICB1c2FnZTogRQoJWyB1bmtub3duXSAoMSkuIFV3ZSBL bGVpbmUtS8O2bmlnIDx1LmtsZWluZS1rb2VuaWdAYmF5bGlicmUuY29tPgoKCXV3ZUB0YXVydXM6 fiQgZ3BnIC0taG9tZWRpciAiJGtleXJpbmdncGdob21lIiAtLWxpc3Qtc2lncyAtLXdpdGgtY29s b24gRTJEQ0REOTEzMjY2OUJENiB8IGdyZXAgLUUgJyhecHVifF51aWR8QjBENTg5RDQ2NzA4RUM5 OSknCglwdWI6LTo0MDk2OjE6RTJEQ0REOTEzMjY2OUJENjoxMjc2NjE0Njk0OjE4MTM1NzIwMDA6 Oi06OjpzY0VTQ0E6Ojo6OjoyMzoxNzQyNTc4NDEwOjQ6Cgl1aWQ6LTo6OjoxNzM5ODg3NjQ2Ojo3 RTIxOEYzMTUwNEUyODZBODUyQzJFMDU0NTlCQTBEQzIyRkYzNEFFOjpVd2UgS2xlaW5lLUvDtm5p ZyA8dS5rbGVpbmUta29lbmlnQGJheWxpYnJlLmNvbT46Ojo6Ojo6OjoxNzQyNTc4NDEwOjQgaHR0 cHNceDNhLy9vcGVucGdwa2V5LmJheWxpYnJlLmNvbToKClNvICJjbGVhbiJpbmcgbXkga2V5IHJl bW92ZWQgVHJldm9yJ3Mgc2lnbmF0dXJlLgoKV2l0aCBnbnVwZyAyLjIuNDUtMiB0aGUgc2FtZSBz ZXF1ZW5jZSBrZWVwcyB0aGUgc2lnbmF0dXJlLiBXaXRoIG15CmN1cnJlbnQgdW5kZXJzdGFuZGlu ZyAyLjIuNDUtMiBpcyByaWdodCB0byBrZWVwIHRoZSBzaWduYXR1cmUgYW5kIGl0J3MgYQpidWcg aW4gMi4yLjQ2LTUgdG8gZHJvcCBpdC4KCkkgaGF2ZSBhIGZldyBtb3JlIHJlcHJvZHVjZXJzIGFu ZCBpdCdzIGFsd2F5cyBvbmx5IFRyZXZvcidzIHNpZ25hdHVyZQp0aGF0IGlzIHJlbW92ZWQuCgpC ZXN0IHJlZ2FyZHMKVXdlCgotLSBTeXN0ZW0gSW5mb3JtYXRpb246CkRlYmlhbiBSZWxlYXNlOiB0 cml4aWUvc2lkCiAgQVBUIHByZWZlcnMgdGVzdGluZy1kZWJ1ZwogIEFQVCBwb2xpY3k6ICg3NTAs ICd0ZXN0aW5nLWRlYnVnJyksICg3NTAsICd0ZXN0aW5nJyksICg3MDAsICdzdGFibGUtdXBkYXRl cycpLCAoNzAwLCAnc3RhYmxlLXNlY3VyaXR5JyksICg3MDAsICdzdGFibGUtZGVidWcnKSwgKDcw MCwgJ3N0YWJsZScpLCAoNjAwLCAndW5zdGFibGUnKSwgKDUwMCwgJ3Vuc3RhYmxlLWRlYnVnJykK QXJjaGl0ZWN0dXJlOiBhbWQ2NCAoeDg2XzY0KQpGb3JlaWduIEFyY2hpdGVjdHVyZXM6IGFybWhm CgpLZXJuZWw6IExpbnV4IDYuMTIuNi1hbWQ2NCAoU01QIHcvNCBDUFUgdGhyZWFkczsgUFJFRU1Q VCkKTG9jYWxlOiBMQU5HPWVuX1VTLlVURi04LCBMQ19DVFlQRT1lbl9VUy5VVEYtOCAoY2hhcm1h cD1VVEYtOCksIExBTkdVQUdFPWVuX1VTOmVuClNoZWxsOiAvYmluL3NoIGxpbmtlZCB0byAvdXNy L2Jpbi9kYXNoCkluaXQ6IHN5c3RlbWQgKHZpYSAvcnVuL3N5c3RlbWQvc3lzdGVtKQpMU006IEFw cEFybW9yOiBlbmFibGVkCgpWZXJzaW9ucyBvZiBwYWNrYWdlcyBnbnVwZyBkZXBlbmRzIG9uOgpp aSAgZGlybW5nciAgICAgMi4yLjQ2LTUKaWkgIGdudXBnLWwxMG4gIDIuMi40Ni01CmlpICBncGcg ICAgICAgICAyLjIuNDYtNQppaSAgZ3BnLWFnZW50ICAgMi4yLjQ2LTUKaWkgIGdwZ3NtICAgICAg IDIuMi40Ni01CgpWZXJzaW9ucyBvZiBwYWNrYWdlcyBnbnVwZyByZWNvbW1lbmRzOgppaSAgZ251 cGctdXRpbHMgICAgIDIuMi40Ni01CmlpICBncGctd2tzLWNsaWVudCAgMi4yLjQ2LTUKaWkgIGdw Z3YgICAgICAgICAgICAyLjIuNDYtNQoKVmVyc2lvbnMgb2YgcGFja2FnZXMgZ251cGcgc3VnZ2Vz dHM6CmlpICBncGctd2tzLXNlcnZlciAgMi4yLjQ2LTUKcG4gIHBhcmNpbW9uaWUgICAgICA8bm9u ZT4KcG4gIHhsb2FkaW1hZ2UgICAgICA8bm9uZT4KCi0tIG5vIGRlYmNvbmYgaW5mb3JtYXRpb24K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-03-21 Uwe Kleine-König <ukleinek@debian.org> wrote:

Package: gnupg
Version: 2.2.46-5
Severity: normal
X-Debbugs-Cc: ukleinek@debian.org

Hello,

[...]

So "clean"ing my key removed Trevor's signature.

With gnupg 2.2.45-2 the same sequence keeps the signature. With my
current understanding 2.2.45-2 is right to keep the signature and it's a
bug in 2.2.46-5 to drop it.

I have a few more reproducers and it's always only Trevor's signature
that is removed.

[...]

Data point: Vanilla, unpatched 2.5.5 behaves the same way, 2.5.4 did
not. So this probably caused by the CVE-2025-30258 patchset.

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Fri, Mar 21, 2025 at 06:43:19PM +0100, Uwe Kleine-König wrote:

Package: gnupg
Version: 2.2.46-5
Severity: normal
X-Debbugs-Cc: ukleinek@debian.org

Hello,

uwe@taurus:~$ keyringgpghome="$(mktemp -d)"

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key tgamblin@baylibre.com u.kleine-koenig@baylibre.com
gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König <u.kleine-koenig@baylibre.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: key B0D589D46708EC99: public key "Trevor Gamblin <tgamblin@baylibre.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
pub rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
0D2511F322BFAB1C1580266BE2DCDD9132669BD6
uid [ unknown] Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048 2023-03-17 [A] [expires: 2027-06-21]
sub rsa2048 2023-03-17 [S] [expires: 2027-06-21]
sub rsa2048 2023-03-17 [E] [expires: 2027-06-21]

pub rsa4096 2024-11-19 [C] [expires: 2026-11-19]
A3A9D4BDAB1069811F48D30EB0D589D46708EC99
uid [ unknown] Trevor Gamblin <tgamblin@baylibre.com>
sub cv25519 2024-11-19 [E]
sub ed25519 2024-11-19 [S]
sub ed25519 2024-11-19 [A]

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig@baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin <tgamblin@baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:

So my key E2DCDD9132669BD6 has a signature by Trevor's key.

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --edit-key E2DCDD9132669BD6 clean save
gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub rsa4096/E2DCDD9132669BD6
created: 2010-06-15 expires: 2027-06-21 usage: SC
trust: unknown validity: unknown
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/DB334D9FBE6A05BF
created: 2015-01-11 revoked: 2023-03-17 usage: A
The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa4096/3C3A2D28B94A2928
created: 2010-06-15 revoked: 2015-01-11 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/C1FC1478ADCAEC09
created: 2015-01-11 revoked: 2023-03-17 usage: S
sub rsa2048/B29A43280A6EF95B
created: 2023-03-17 expires: 2027-06-21 usage: A
sub rsa2048/8F80FB587D12FE4E
created: 2023-03-17 expires: 2027-06-21 usage: S
sub rsa2048/120E75698E64909B
created: 2023-03-17 expires: 2027-06-21 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/F2FF566A57C91BC7
created: 2015-01-11 revoked: 2023-03-17 usage: E
[ unknown] (1). Uwe Kleine-König <u.kleine-koenig@baylibre.com>

User ID "Uwe Kleine-König <u.kleine-koenig@baylibre.com>": 7 signatures removed

pub rsa4096/E2DCDD9132669BD6
created: 2010-06-15 expires: 2027-06-21 usage: SC
trust: unknown validity: unknown
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/DB334D9FBE6A05BF
created: 2015-01-11 revoked: 2023-03-17 usage: A
The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa4096/3C3A2D28B94A2928
created: 2010-06-15 revoked: 2015-01-11 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/C1FC1478ADCAEC09
created: 2015-01-11 revoked: 2023-03-17 usage: S
sub rsa2048/B29A43280A6EF95B
created: 2023-03-17 expires: 2027-06-21 usage: A
sub rsa2048/8F80FB587D12FE4E
created: 2023-03-17 expires: 2027-06-21 usage: S
sub rsa2048/120E75698E64909B
created: 2023-03-17 expires: 2027-06-21 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/F2FF566A57C91BC7
created: 2015-01-11 revoked: 2023-03-17 usage: E
[ unknown] (1). Uwe Kleine-König <u.kleine-koenig@baylibre.com>

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig@baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:

So "clean"ing my key removed Trevor's signature.

To expand the set of affected sample data: If you do the above and import the keys for
u.kleine-koenig@baylibre.com
khilman@baylibre.com
mkorpershoek@baylibre.com
dlechner@baylibre.com
tgamblin@baylibre.com

cleaning the first four keys removes (only) all the signatures by Trevor.

The kernel pgp keyring has some more examples it seems:

git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git
cd pgpkeys
keyringgpghome="$(mktemp -d)"
gpg --homedir "$keyringgpghome" --import keys/*.asc
gpg --homedir "$keyringgpghome" --export > keyring-2.2.46
gpg --homedir "$keyringgpghome" --export --export-options export-clean > keyring-2.2.46-clean

and repeating the same with gpg 2.2.45, I get:

$ ls -lS keyring-*
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:39 keyring-2.2.45
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:37 keyring-2.2.46
-rw-rw-r-- 1 uwe uwe 8199427 Mar 24 16:40 keyring-2.2.45-clean
-rw-rw-r-- 1 uwe uwe 8162407 Mar 24 16:37 keyring-2.2.46-clean

The cleaned keyring exported by 2.2.46 is considerably smaller, so
2.2.46 cleaned more aggressively. Looking at the output of

diff -u <(gpg --list-packets keyring-2.2.45-clean | grep "issuer key" | sort) <(gpg --list-packets keyring-2.2.46-clean | grep "issuer key" | sort)

there are differences in both directions (i.e. signatures that are only
removed by 2.2.45 and others that are only removed by 2.2.46). At least
that is my interpretation given there are + and - lines. I didn't try to inspect the data to judge for each difference which version of gnupg is correct.

Best regards
Uwe

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEP4GsaTp6HlmJrf7Tj4D7WH0S/k4FAmfhgGUACgkQj4D7WH0S /k5kOAgAil3Bcvakys+CcMJYe4Jw145f4g8KOt610jIQIjedPWicTJnVM3Xx8D+4 PqDOSxIS5ooV7Vcz5TsvBAZOuPm/etawSyEJPWX18bxS9gqBE2dvZR3Zbg11JK07 bBqr95RwzGQ5zOs4sPQnFppOMndsF14D7UVpFpc8K4rGyd9K+eqJLO46NY3B6PUX L3lGj7ujItQ/oo8bvqAyyjybF9JM/BwrbPVQucDRrAWlpU/cf9LNICXQHGN9u9BS CJNF54BlDOXlx5KpxxTD2PHIoJ1yiobzCzAH3N8VuWtfL7/o13CE6JU6qr24Ma1o nToEp+5Aj9iYuU/qrnLVmMcnYTFLfA==
=ANsz
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-03-24 Uwe Kleine-König <ukleinek@debian.org> wrote:
[...]

To expand the set of affected sample data: If you do the above and import the keys for
u.kleine-koenig@baylibre.com
khilman@baylibre.com
mkorpershoek@baylibre.com
dlechner@baylibre.com
tgamblin@baylibre.com

cleaning the first four keys removes (only) all the signatures by Trevor.

The kernel pgp keyring has some more examples it seems:

git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git

[...]

there are differences in both directions (i.e. signatures that are only removed by 2.2.45 and others that are only removed by 2.2.46).

I have forwarded this to the upstream report at https://dev.gnupg.org/T7583

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Mon, Mar 24, 2025 at 04:55:20PM +0100, Uwe Kleine-König wrote:

On Fri, Mar 21, 2025 at 06:43:19PM +0100, Uwe Kleine-König wrote:

Package: gnupg
Version: 2.2.46-5
Severity: normal
X-Debbugs-Cc: ukleinek@debian.org

Hello,

uwe@taurus:~$ keyringgpghome="$(mktemp -d)"

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key tgamblin@baylibre.com u.kleine-koenig@baylibre.com
gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König <u.kleine-koenig@baylibre.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: key B0D589D46708EC99: public key "Trevor Gamblin <tgamblin@baylibre.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
pub rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
0D2511F322BFAB1C1580266BE2DCDD9132669BD6
uid [ unknown] Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048 2023-03-17 [A] [expires: 2027-06-21]
sub rsa2048 2023-03-17 [S] [expires: 2027-06-21]
sub rsa2048 2023-03-17 [E] [expires: 2027-06-21]

pub rsa4096 2024-11-19 [C] [expires: 2026-11-19]
A3A9D4BDAB1069811F48D30EB0D589D46708EC99
uid [ unknown] Trevor Gamblin <tgamblin@baylibre.com>
sub cv25519 2024-11-19 [E]
sub ed25519 2024-11-19 [S]
sub ed25519 2024-11-19 [A]

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig@baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:
sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin <tgamblin@baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:

So my key E2DCDD9132669BD6 has a signature by Trevor's key.

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --edit-key E2DCDD9132669BD6 clean save
gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub rsa4096/E2DCDD9132669BD6
created: 2010-06-15 expires: 2027-06-21 usage: SC
trust: unknown validity: unknown
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/DB334D9FBE6A05BF
created: 2015-01-11 revoked: 2023-03-17 usage: A
The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa4096/3C3A2D28B94A2928
created: 2010-06-15 revoked: 2015-01-11 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/C1FC1478ADCAEC09
created: 2015-01-11 revoked: 2023-03-17 usage: S
sub rsa2048/B29A43280A6EF95B
created: 2023-03-17 expires: 2027-06-21 usage: A
sub rsa2048/8F80FB587D12FE4E
created: 2023-03-17 expires: 2027-06-21 usage: S
sub rsa2048/120E75698E64909B
created: 2023-03-17 expires: 2027-06-21 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/F2FF566A57C91BC7
created: 2015-01-11 revoked: 2023-03-17 usage: E
[ unknown] (1). Uwe Kleine-König <u.kleine-koenig@baylibre.com>

User ID "Uwe Kleine-König <u.kleine-koenig@baylibre.com>": 7 signatures removed

pub rsa4096/E2DCDD9132669BD6
created: 2010-06-15 expires: 2027-06-21 usage: SC
trust: unknown validity: unknown
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/DB334D9FBE6A05BF
created: 2015-01-11 revoked: 2023-03-17 usage: A
The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa4096/3C3A2D28B94A2928
created: 2010-06-15 revoked: 2015-01-11 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/C1FC1478ADCAEC09
created: 2015-01-11 revoked: 2023-03-17 usage: S
sub rsa2048/B29A43280A6EF95B
created: 2023-03-17 expires: 2027-06-21 usage: A
sub rsa2048/8F80FB587D12FE4E
created: 2023-03-17 expires: 2027-06-21 usage: S
sub rsa2048/120E75698E64909B
created: 2023-03-17 expires: 2027-06-21 usage: E
The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 Uwe Kleine-König <u.kleine-koenig@baylibre.com>
sub rsa2048/F2FF566A57C91BC7
created: 2015-01-11 revoked: 2023-03-17 usage: E
[ unknown] (1). Uwe Kleine-König <u.kleine-koenig@baylibre.com>

uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe Kleine-König <u.kleine-koenig@baylibre.com>:::::::::1742578410:4 https\x3a//openpgpkey.baylibre.com:

So "clean"ing my key removed Trevor's signature.

To expand the set of affected sample data: If you do the above and import the keys for
u.kleine-koenig@baylibre.com
khilman@baylibre.com
mkorpershoek@baylibre.com
dlechner@baylibre.com
tgamblin@baylibre.com

cleaning the first four keys removes (only) all the signatures by Trevor.

The kernel pgp keyring has some more examples it seems:

git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git
cd pgpkeys
keyringgpghome="$(mktemp -d)"
gpg --homedir "$keyringgpghome" --import keys/*.asc
gpg --homedir "$keyringgpghome" --export > keyring-2.2.46
gpg --homedir "$keyringgpghome" --export --export-options export-clean > keyring-2.2.46-clean

and repeating the same with gpg 2.2.45, I get:

$ ls -lS keyring-*
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:39 keyring-2.2.45
-rw-rw-r-- 1 uwe uwe 8705354 Mar 24 16:37 keyring-2.2.46
-rw-rw-r-- 1 uwe uwe 8199427 Mar 24 16:40 keyring-2.2.45-clean
-rw-rw-r-- 1 uwe uwe 8162407 Mar 24 16:37 keyring-2.2.46-clean

The cleaned keyring exported by 2.2.46 is considerably smaller, so
2.2.46 cleaned more aggressively. Looking at the output of

diff -u <(gpg --list-packets keyring-2.2.45-clean | grep "issuer key" | sort) <(gpg --list-packets keyring-2.2.46-clean | grep "issuer key" | sort)

there are differences in both directions (i.e. signatures that are only removed by 2.2.45 and others that are only removed by 2.2.46). At least
that is my interpretation given there are + and - lines. I didn't try to inspect the data to judge for each difference which version of gnupg is correct.

JFTR: I did check some of the ones that gpg 2.2.45 removed. All but

pub:-:4064:1:26BCFA05FCF60E4C:1464562073:1779922073::-:::scESC::::::::0:
fpr:::::::::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:
uid:-::::1727161650::90AF1B0CCF60A66F8C25A9779B5F6580A67B72CE::Marek Behún <kabel@kernel.org>::::::::::0:
-sig:::1:26BCFA05FCF60E4C:1663342750::::Marek Behún <kabel@kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
sig:::1:26BCFA05FCF60E4C:1727161650::::Marek Behún <kabel@kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::10:
uid:-::::1727161645::6021E246B2D94BF22E0DF15A8BD6E73079859DC0::Marek Behun <kabel@blackhole.sk>::::::::::0:
-sig:::1:26BCFA05FCF60E4C:1556565206::::Marek Behún <kabel@kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
-sig:::1:BD6A501CB78B7C26:1556571913::::Jacek Anaszewski <jacek.anaszewski@gmail.com>:10x::BF1DFC0A568F05F795757090BD6A501CB78B7C26:::8:
sig:::1:26BCFA05FCF60E4C:1727161645::::Marek Behún <kabel@kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::10:
uid:-::::1556564998::3D89AAFC785B5B4E4D125A8D9DD223C8ACCB21FD::Marek Behún <marek.behun@nic.cz>::::::::::0:
sig:::1:26BCFA05FCF60E4C:1556564998::::Marek Behún <kabel@kernel.org>:13x::95C62D2248EE0D8A44C3D3B426BCFA05FCF60E4C:::8:
sub:-:4064:1:B81F800D3C7D948E:1464562073:1779922073:::::e:::::::
fpr:::::::::CA49A590D97148D89162602CB81F800D3C7D948E:
sig:::1:26BCFA05FCF60E4C:1464562073::::Marek Behún <kabel@kernel.org>:18x:::::8:

(The lines marked with - are dropped by cleaning with 2.2.45-2)

I do understand (drops signatures of expired keys, all but the newest self-sig). Here I fail to see why Jacek's signature is removed. I
guess it is related to the key having validity '-' and so the signatures
on it are unusable and so dropped. (Why this key isn't valid however is
a mystery to me.)

Best regards
Uwe

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEP4GsaTp6HlmJrf7Tj4D7WH0S/k4FAmflkDAACgkQj4D7WH0S /k5vTAf/STfkMaulgup1kvzMIDtaZdFfUamD38IkJZR3JFUcd9kBVb8WrCKK5CjF JIlIjr9SNscpNQfk0dMMlPoQ3QzbMZGjIVNAjs1vPXwGqTGpctTeIicz4rrRvEPJ Ke5sj0pP3q3gzChpqCiZMt6LRARfBgXRD3togjJ612hjhZndt7/dVNyrYoEAA0Mn GO2QejX7wahiFqzaRAwXUskibsO9Tmzo2vr5mNQUCZIPKCBgwKSET+fAyTVYYkQ5 YNKTX6DOS+d4MgMPmOO5Bpze2ouwBzlVOWDZFJediplpcYLXv4053RyrsYYQokZD GHbKGoPrJT4i5qt+0r9SnsjbzjABRQ==
=3gAu
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I just tried to make a local certification of Werner's own certificate
with my cert (D477040C70C2156A5C298549BB7E9101495E6BF7) , and GnuPG
refused to confirm the validity of Werner's user ID despite my own
having ultimate ownertrust.

I traced it back to the fact that my cert has a certification-only
primary key.

It looks like upstream's patch 9b7c067717d815e16f9ea3cec88bca09a6cce7cb resolves the problem for me. I've staged it in the debian/unstable
branch on salsa, but i won't make an upload for a few more days, to
allow 2.4.7-17 to migrate into unstable.

Uwe, if you can build what's on the debian/unstable branch in salsa and
confirm whether it resolves the problems you're seeing, it would be
great to get feedback here. Or, wait a few days and i'll put it in
unstable anyway.

Thanks for reporting this, and sorry it has taken so long to get it
sorted out.

--dkg

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCaBu6PgAKCRB4C4VO2cK0 ljynAP9lvjGXYLjQyFT4BPzSS9t4lSNw1PeMP67LT0WasLEBUAD9H+5VX3/3CilT mrgs1GvMEVLZdDL/nDfpNb5rYDW8agA=
=N5t/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Daniel,

I already said this in irc, but for the record here the information
again for the bug log:

On Wed, May 07, 2025 at 03:53:34PM -0400, Daniel Kahn Gillmor wrote:

I just tried to make a local certification of Werner's own certificate
with my cert (D477040C70C2156A5C298549BB7E9101495E6BF7) , and GnuPG
refused to confirm the validity of Werner's user ID despite my own
having ultimate ownertrust.

I traced it back to the fact that my cert has a certification-only
primary key.

It looks like upstream's patch 9b7c067717d815e16f9ea3cec88bca09a6cce7cb resolves the problem for me. I've staged it in the debian/unstable
branch on salsa, but i won't make an upload for a few more days, to
allow 2.4.7-17 to migrate into unstable.

Uwe, if you can build what's on the debian/unstable branch in salsa and confirm whether it resolves the problems you're seeing, it would be
great to get feedback here. Or, wait a few days and i'll put it in
unstable anyway.

I created a local package from the debian/unstable branch and the issues
I saw are gone with that.

Thanks for preparing this for my easy consumption
Uwe

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEP4GsaTp6HlmJrf7Tj4D7WH0S/k4FAmgcUrUACgkQj4D7WH0S /k4hqAgAjXEGSBWMtP/hbzbwTRPI4MZYAYTVyKLRYQqRnkI2HQI+8y+kMf0o44zM AeF7s92A8byur//yyaIKWtsfFsrHn+nw4LbJ+LdyNv1tEaLBhnW5i5cLLk5PIdhG xwwGBzSRuSKyATTe09ff5fC4604oWedsxan25YqKXk5tIy+siTRcw9Dc0LFNad4b hUhbiHoP4nDETiSCDtI6d4hb6RdOQhd4evWecs7S5ydJhTijClPrjjL7D3XJRLfT uvyQGkHWttft8qg/d+AJB+/FueQT1mQ64BgtfvKpNap2DX+t4WcVR2QZXc/w+xE2 8XOKvoKzLocRXastAyKPz78XIhcaVg==
=L+1F
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)