Handling OpenPGP Private Keys for Unit Testing
I am working on a project where software does cryptographic operations on a GnuPG binary. Some functions have OpenPGP encrypted output, and some accept OpenPGP encrypted input.
For a unit test, my plan is to create a passwordless key for unittest@project.example.com and include it in the repository. This will naturally make the key unusable in production, but that's fine since users have to generate / use their own key.
Now to my question. If a key is included in the repository, anyone can upload it to a key server, use it to sign their own key, or revoke it (and upload a revocation). GPG can automatically download keys from keyservers, and it seems unwise to have such a key (where the private key is publicly available) in private keys.
Is it possible to upload the revoked version of the key to the keyserver (so that no keychain will trust it) and include the version of the key in the repo where the key is not revoked? Would this go into the question of appearing a key and be trusted on a private keychain, but still allow unit testing with the same key?
source to share
Reversing a key on keyservers, including the unrecovered version, will work without issue, unless you get the revoked version from the keyservers. Just make a copy before revoking the key and make sure to use your local or even new GnuPG home directory (you should do this anyway to keep unit tests reproducible and keep them separate from your developer account). So, you need to make sure that you don't have a revocation certificate in your keychain unless someone manually picks it (which they shouldn't, you might want to document it somewhere).
Another scenario to consider is that the master secret is private but only publishes the secret subkey. This can make subsequent changes to the key actually used for encryption easier and prevent others from interacting with the primary key (create user IDs, revoke anything, issue certificates, ...).
source to share