I am making my own gpg server (based on the MIT one). I noticed something weird in the GPG chain of trust.
- I create my
VeryTrustedKey
. I push it to my gpg server. In my code, I force all users to havefull
trust for this key. It will be thetrusted introducer
for all users. - A user
User1
upload his keykey1
to my server. It is signed byVeryTrustedKey
on day 1 of the upload. - On day 2, a user
User2
import thiskey1
key. BecauseUser2
has a trustfull
onVeryTrustedKey
he also has a trustfull
onkey1
. - On day 3,
User1
loses his private key.VeryTrustedKey
revoke the signature it has withkey1
.
The issue is that on day 4, User2
still fully trust key1
, even after refreshing from the server (A refresh by command line using gpg --recv-key
KEYID then gpg --refresh-keys
)
Is that normal ? How can I make it that trust will go away on a trust introducer
revokation.