Cannot delete or reassign a gpg key

Bug #1009551 reported by Curtis Hovey
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

Users can deactivate gpg keys, but they cannot delete them so that they can re-register them for another profile.

eg.
I have split my personal & my work profiles on launchpad. Please move my work GPG key across to my work profiles.

Revision history for this message
Curtis Hovey (sinzui) wrote :

We may want Launchpad Admins to see a delete action next to each gpg key.

tags: added: gpg users
Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
tags: added: canonical-losa-lp chr
Revision history for this message
William Grant (wgrant) wrote :

GPG keys can't usually be deleted, since SourcePackageRelease.dscsigningkey references them forever.

Revision history for this message
Jérémie Roquet (jroquet) wrote :

Could it be possible to delete PGP keys that have never been used? I'd like the key associated to my ~jroquet account (the one I'm using to write this) to be deleted, so that I can use it with my ~arkanosis account, which is the only one I plan to use from now on. Thanks!

Revision history for this message
Jérémie Roquet (arkanosis) wrote :

After thinking a bit about it, I'm now wondering why one can't use the same PGP keys with multiple accounts, to begin with. Does anyone know? Thanks!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

If you think about it for a little bit, I think you can derive to an answer. Usually GPG keys are part of the Web of Trust and represent a person or a role. It is public-key cryptography, and not a shared secret. Launchpad allows privileged operations based on the GPG key signatures alone over otherwise untrusted protocols (dput package uploads), which thus must uniquely resolve to accounts.

Revision history for this message
Jérémie Roquet (arkanosis) wrote :

Dear Dimitri,

Thank you for you kind answer.

I totally understand what you mean and I don't share my keys with anyone, but what about people like me with several accounts? Is it against some policy on Launchpad? Not that I'd have any problem with this, just asking.

In my case, my trusted GPG key has been associated with a Launchpad account (jroquet) which is not the one I'm known to use (arkanosis) — my own mistake — so I'm unable so sign packages with my trusted key and my known account.

I wouldn't mind the key being de-associated from the jroquet account (as it has never been used to sign packages so far), or even the jroquet account being deleted (if having two accounts is against some policy). Is something possible here? Should I open a specific bug for this for tracking?

Thanks again and best regards,

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related questions