Automatically generate GPG revocation certificates

Automatically generate GPG revocation certificates

OpenGPG establishes trust using the web-of-trust. If I trust you and you trust him, I can probably trust them too. This only works if I can trust you though.

Our keys are important and maintaining them is vital, after all they tell the world we said this. Once a key has been made and published that really it, it is now in the world till everything ends. So if you no longer have access to the key you have to let people know to stop using it too, this is call revocation. It’s a special signature you can sign your key with that will make it as revoked. Once a key get revoked no one will encrypt to using it any more. The problem comes from the need to access the secret key in order to generate these and if you have lost the secret key you can no longer revoke it, unless you did as you should have and created these revocation certificates before hand.

Too many people put this off or worse yet forget too, so I have created a small bash script to automate the process. You can download it bellow and see the source as well. Once downloaded you just need to change the KEYS variable to reflect they keys you wish to generate the certificates for. It will also backup your private and public keys – You have to keep these safe!


GPGHOME="--homedir $HOME/.gnupg";


GenRevoke() {

   if [ -f "$INPUTFILE" ] ; then rm -f "$INPUTFILE"; fi
   touch "$INPUTFILE"
   #  0 - No reason specified
   echo "y" > "$INPUTFILE";echo "$CODE" >> "$INPUTFILE" ;echo "$REASON" >> "$INPUTFILE";echo "" >> "$INPUTFILE";echo "y" >> "$INPUTFILE";echo >> "$INPUTFILE";
   $GPG $GPGHOME --command-fd 0 --status-fd 2 -a -o "./$CODE - $REASON.asc" --gen-revoke $KEYID < "$INPUTFILE"
   rm -f "$INPUTFILE"

BackUpKey() {
   echo "Key ID: $KEYID";
   if [ -d "$NXHOME/$KEYID" ] ; then rm -fr "$NXHOME/$KEYID"; fi

   mkdir "$NXHOME/$KEYID"; cd "$NXHOME/$KEYID";
   $GPG $GPGHOME --output $ --export $KEYID;
   $GPG $GPGHOME --output $KEYID.sec.asc --export-secret-keys $KEYID;

   mkdir "$NXHOME/$KEYID/Revoke $KEYID";
   cd "$NXHOME/$KEYID/Revoke $KEYID";
   GenRevoke $KEYID 0 "No reason specified";
   GenRevoke $KEYID 1 "Key has been compromised";
   GenRevoke $KEYID 2 "Key is superseded";
   GenRevoke $KEYID 3 "Key is no longer used";

if [ ! -d "$NXHOME" ] ; then mkdir "$NXHOME"; fi

for KEY in $KEYS
   BackUpKey $KEY

© 2020. Some rights reserved. The contents of this site is released under a Creative Commons Attribution-Share Alike license.