Menu

Subscribe

Change Certification Level of a Signature on a OpenPGP Key

on Encryption, Security, Technology

Can I Update My Old Signature?

You cannot modify an existing signature.

  • You can revoke the signature. This revocation can be pushed to public key servers. The signature remains on the key, but is marked as revoked.
  • You can delete the signature locally. It cannot be deleted from key servers, as they simply merge together all known data for a given key ID.

To Increase Cert Level, Simply Sign Again!

Specify these both of these options to gpg:

  • --expert will allow you to sign a key that still has a valid signature by the current user.

  • --ask-cert-level provides a prompt to solicit your certification level.

To Decrease Cert Level, Revoke and Sign Again.

You'll need to revoke your old signature, then use --ask-cert-level if you want to specify a certification level other that the unspecified default (typically 1).

demo, demo!

If you don't believe me, see the following demonstration.

A. --expert alone does not solicit certification level:
larz@eternity:~$ gpg --expert -u 4CD57CA99B54E8A0F762E5A21D79944521E6D842 --sign-key 224015CECD89E47B9A8E35AB828CC2FAE69850F8         

gpg: checking the trustdb  
gpg: marginals needed: 3  completes needed: 1  trust model: pgp  
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u  
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u  
sec  rsa2048/828CC2FAE69850F8  
     created: 2017-05-05  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D7910878D40D58A0  
     created: 2017-05-05  expires: never       usage: E   
[ultimate] (1). larz. <larz@foreverlarz.com>

"larz. <larz@foreverlarz.com>" was already signed by key 1D79944521E6D842
Do you want to sign it again anyway? (y/N) y

sec  rsa2048/828CC2FAE69850F8  
     created: 2017-05-05  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
 Primary key fingerprint: 2240 15CE CD89 E47B 9A8E  35AB 828C C2FA E698 50F8

     larz. <larz@foreverlarz.com>

Are you sure that you want to sign this key with your  
key "new guy <hi@newguy.com>" (1D79944521E6D842)

Really sign? (y/N) y

larz@eternity:~$
B. Without --expert, one cannot sign a key if already signed:
larz@eternity:~$ gpg -u 4CD57CA99B54E8A0F762E5A21D79944521E6D842 --sign-key 224015CECD89E47B9A8E35AB828CC2FAE69850F8         

gpg: checking the trustdb  
gpg: marginals needed: 3  completes needed: 1  trust model: pgp  
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u  
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u  
sec  rsa2048/828CC2FAE69850F8  
     created: 2017-05-05  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D7910878D40D58A0  
     created: 2017-05-05  expires: never       usage: E   
[ultimate] (1). larz. <larz@foreverlarz.com>

"larz. <larz@foreverlarz.com>" was already signed by key 1D79944521E6D842
"larz. <larz@foreverlarz.com>" was already signed by key 1D79944521E6D842
Nothing to sign with key 1D79944521E6D842

Key not changed so no update needed.  
larz@eternity:~$
C. --expert --ask-cert-level allows one to sign a key again, and also solicits a certification level:
larz@eternity:~$ gpg --expert --ask-cert-level -u 4CD57CA99B54E8A0F762E5A21D79944521E6D842 --sign-key 224015CECD89E47B9A8E35AB828CC2FAE69850F8

sec  rsa2048/828CC2FAE69850F8  
     created: 2017-05-05  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/D7910878D40D58A0  
     created: 2017-05-05  expires: never       usage: E   
[ultimate] (1). larz. <larz@foreverlarz.com>

"larz. <larz@foreverlarz.com>" was already signed by key 1D79944521E6D842
Do you want to sign it again anyway? (y/N) y  
"larz. <larz@foreverlarz.com>" was already signed by key 1D79944521E6D842
Do you want to sign it again anyway? (y/N) y

sec  rsa2048/828CC2FAE69850F8  
     created: 2017-05-05  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
 Primary key fingerprint: 2240 15CE CD89 E47B 9A8E  35AB 828C C2FA E698 50F8

     larz. <larz@foreverlarz.com>

How carefully have you verified the key you are about to sign actually belongs  
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection? (enter '?' for more information): 3  
Are you sure that you want to sign this key with your  
key "new guy <hi@newguy.com>" (1D79944521E6D842)

I have checked this key very carefully.

Really sign? (y/N) y

larz@eternity:~$
D. Resultant signatures:
larz@eternity:~$ gpg --check-sigs 224015CECD89E47B9A8E35AB828CC2FAE69850F8  
gpg: checking the trustdb  
gpg: marginals needed: 3  completes needed: 1  trust model: pgp  
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u  
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u  
gpg: 5 good signatures  
pub   rsa2048 2017-05-05 [SC]  
      224015CECD89E47B9A8E35AB828CC2FAE69850F8
uid           [ultimate] larz. <larz@foreverlarz.com>  
sig!3        828CC2FAE69850F8 2017-05-05  larz. <larz@foreverlarz.com>  
sig!         1D79944521E6D842 2017-05-12  new guy <hi@newguy.com>  
sig!         1D79944521E6D842 2017-05-12  new guy <hi@newguy.com>  
sig!3        1D79944521E6D842 2017-05-12  new guy <hi@newguy.com>  
sub   rsa2048 2017-05-05 [E]  
sig!         828CC2FAE69850F8 2017-05-05  larz. <larz@foreverlarz.com>

larz@eternity:~$