How to actually revoke a GitHub GPG key?

[Vectorial1024]

Select Topic Area

Question

Body

I am eventually told I can revoke old GitHub GPG keys while still marking older commits as verified: https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account

To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.

Am I right to think that, to "revoke" the key, I just need to send in a "new" GPG key but with the "revoked" status? Or just remove the old key and send it in again but with the revoked status?

[Vectorial1024]

Experimented on this a bit, and basically, yes, revoke the key and re-add it to GitHub.

Ideally, you should add an expiry date to your keys when they are being created, but let's say your keys do not expire, and you want to revoke them. GitHub does recommend not setting an expiration date for your keys; see https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key . Let's say you suddenly want to revoke a GitHub GPG key.

Here are the steps:

1. List keys & find your key

gpg --list-keys --keyid-format=long / gpg --list-secret-keys --keyid-format=long

2. Note your key ID; this value will replace KEYID in upcoming steps

See, for example:

pub   rsa4096/KEYID 0000-00-00 [SC]
      KEY_FINGERPRINT
uid [...]
sub   rsa4096/0000000000000000 0000-00-00 [E]

3. Revoke your key; export the revocation certificate

gpg --output revoke.asc --gen-revoke KEYID

4. Import the revocation certificate back to your (local) keyring

gpg --import revoke.asc

5. Check that your key is revoked

See revocation certificate imported
gpg --list-keys
See [revoked] USERNAME (GitHub) or something like that

6. Export your now-revoked public key

gpg --output public.pgp --armor --export KEYID

7. On GitHub, find the same key and delete it
8. Add your now-revoked public key (i.e., public.pgp) to GitHub
9. Your commits should say "verified (expired)"

Reference: https://superuser.com/questions/1526283/how-to-revoke-a-gpg-key-and-upload-in-gpg-server

[loicalbertin]

I'm also experimenting about this but on step 7 I get this error message when importing to revoked public key: "The key was not added because the primary key is compromised"

Any clue?

[Vectorial1024]

Terminology: a GPG primary key can be used to sign data. Ref: https://www.reddit.com/r/GnuPG/comments/hxner0/what_is_primary_key_and_subkey/

When you revoke a GPG key, you can select a reason of revokation, which usually has the following:

• No particular reason
• Key unused
• Key compromised

All of the above will revoke the key, but the revokation reason is stored inside the revokation certificate.

Outside of security best practices to reject "revoked (compromised)" keys, there is no reason to accept such keys because being compromised means there is someone else who has the same key, so the commits that "you" made with that key might not actually be from you. Contrast with "revoked (unused)" where the key is still only used by you, but you are now e.g. using another key due to regular key rotation.

Just in case, know that GitHub has a safe mode where commits with no/invalid signatures will be shown as "unverified".

My question was targeted towards general key revokation (e.g. I picked "no particular reason") but not compromised key revokation. If you are revoking a compromised key, simply remove the key from GitHub.

[ReenigneArcher]

This worked, but I had to replace the command in step 1 with gpg --list-secret-keys --keyid-format LONG to get the key id.

[Vectorial1024]

Thanks @ReenigneArcher for the discovery. I recently revisited this post to troubleshoot some GitHub key-related issues, and indeed, only doing --list-keys does not display the KEYID, and your pointed out --keyid-format=long is needed to display the KEYID. I have updated the answer to include this information.

[frankpengau]

Thanks! This helped me out as I need to revoke my gpg key, as it was no longer accepting my passphrase.

[frankpengau]

Not sure if correlation or causation, but realised that at a similar time as when I was experiencing issues with signing my commits with my gpg key, there was problems with gpg for GitHub cli (gh).

Ref: cli/cli#9569

[SwuduSusuwu]

What about ssh signing; how to revoke?
Know that ssh's version of gpg --list-keys is ssh-add -l,
but don't know if ssh has an equivalent to gpg --output revoke.asc --gen-revoke KEYID; what to do?
Was used for around 2 years, on numerous devices, so:

• don't want to allow new commits with that old certificate
• but don't want "Unverified" to show on all old commits.

[SwuduSusuwu]

how to revoke?

Was worried due to:
, but https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#persistent-commit-signature-verification says that old commits are still valid after thus.
Old commits did not change to "Unverified" after deleted old SSH certificate from GitHub.
Still wish to know how to set those to expire, though.

[nihil-admirari]

Old commits did not change to "Unverified" after deleted old SSH certificate from GitHub.

The stay verified only on GitHub. In order to do e.g. local verification, one needs a public key. After SSH signing key is removed, local commit verification is no longer possible.