27

Whilst playing with GPG (and trying to figure out a safe way to store my revocation cert so nobody else could use it), I accidentally revoked my PGP key.

The revocation was only local; not sent to a keyserver, so I was sure there would be a way to un-revoke it... but I couldn't find anything. Even deleting the key and re-importing it didn't help; it still showed as revoked. In the end I deleted my entire keyring and re-imported everything, which worked. But there must be a better way...

So; how do you un-revoke a PGP key in GPG?

Also, where is the revocation stored, and why wasn't it deleted when I deleted the key from my keyring?

In case it makes any difference, I'm using GPG on OS X with the GPGTools package.

Giacomo1968
  • 58,727
Caesar
  • 668

2 Answers2

28

It turns out that it is possible (and relatively simple) to delete and re-import the key, provided that it is on a keyserver (and provided that the revocation has not been sent to the keyserver, of course).

This is what I found to work (THEKEYID is the short ID of the key):

  1. Delete the public key as follows (the --expert option allows the public key to be deleted whilst the private key is kept) :

    gpg --expert --delete-key THEKEYID

  2. Confirm by pressing:

    y

  3. Fetch the public key again from a keyserver:

    gpg --keyserver subkeys.pgp.net --recv-keys THEKEYID

Done!

Presumably this could also be done from a local (pre-revocation) backup of the public key, using gpg --import public.key instead of the third command.

Simply deleting the entire key (public and private) from the GPG Keychain Access GUI, and then restoring from a backup, did not work - I don't know why.

Giacomo1968
  • 58,727
Caesar
  • 668
4

A process to un-revoke your local revoked key, without implying any key server, has been shared in 2007 by David Shaw in a post on the official mailing list.

It goes as follows (I suggest you to make a backup of your ~/.gnupg before going forward):

  1. Export the public key into a file.

    gpg --export (thekey) > mykey.gpg

  2. Split it into parts:

    gpgsplit mykey.gpg

    This breaks the key into multiple files with names like

    "000001-006.public_key".

  3. Figure out which packet is the revocation. It's likely to be "000002-002.sig", but make sure with:

    gpg --list-packets 000002-002.sig

    That will show information about the packet. If the sigclass is set to 0x20, that's the revocation. Delete that file.

  4. Put the key back together again:

    cat 0000* > myfixedkey.gpg

  5. Remove the old key:

    gpg --expert --delete-key (thekey)

    You need --expert here so GPG will let you delete the public key when a private key is still around.

  6. Import the new key:

    gpg --import myfixedkey.gpg

Please note that, obviously, revocation certificates published on a keyserver cannot be un-revoked.

Totor
  • 1,581