Why has my gpg key been revoked (should I be concerned)?
I've been using my public/private key pair for multiple years on my own machine for local purposes only and I've experienced the yearly expiration.
However, this time (around the time my key usually expires) gpg says:
gpg2 --list-keys
/home/user/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2016-11-22 [SC] [widerrufen: 2016-11-25]
KEY123456789
uid [ widerrufen] My Name (Me) <[email protected]>
I'm 100% sure I didn't revoke my key. Since my gpg version is localized and says "widerrufen", which should translate to "revoked", I tried expiring it nonetheless (via gpg --edit-key
and subsequently expire
and 1y
), but to no avail:
gpg: Beglaubigung fehlgeschlagen: Verarbeitung wurde abgebrochen
gpg: make_keysig_packet failed: Verarbeitung wurde abgebrochen
Which should translate to
gpg: Authentication failed: Processing aborted
gpg: make_keysig_packet failed: Processing aborted
Also I'm confused why it says, that it has been revoked on 2016-11-25. Is this an old key? Is it possible that my regular key has been removed from the key-ring without me noticing?
I read in Un-revoke PGP key that I should be able to reimport my key. However, I'm concerned that my system has been compromised, as I'm not able to explain why my key got revoked in the first place.
Is there an explanation for this?
Also I'm confused why it says, that it has been revoked on 2016-11-25.
The revoked date reflects the date the revocation certificate was generated, not the date the revocation was applied to the key.
As far as how it happened, all that can be certain is the revocation certificate used was not the one automatically generated at the time of key creation - this is evidenced by the fact the key creation time and revocation date are not identical:
pub rsa4096 2016-11-22 [SC] [widerrufen: 2016-11-25]
3 days after the key was created, you (or, if the key had no password protection, possibly someone else with access to your computer) generated a revocation certificate using gpg --gen-revoke name
. Do you recall generating this revocation certificate? If so, do you remember where you stored it?
Unless you have an encrypted home directory, anyone with access to your computer could import the revocation certificate to your keyring.
Is this an old key? Is it possible that my regular key has been removed from the key-ring without me noticing?
Sure, that's possible. If you want to make sure this is the right key, try verifying some signature you made with it prior to revocation.