I am working on a project where the software does cryptographic operations with a GnuPG binary. Some functions have OpenPGP encrypted output, and some take OpenPGP encrypted input.
In order to unit test, my plan is to generate a passwordless key for unittest@project.example.com and include it in the repository. This will (naturally) make the key unsuitable for production use, but that's fine as users are expected to generate/use their own key.
If the key is included in the repository, anyone can upload it to a key server, use it to sign his/her own key, or revoke it (and upload the revocation). GPG can download keys from key servers automatically, and it seems unwise to have such a key (where the private key is public knowledge) in ones personal keyring.
Is it possible to upload a revoked version of the key to a key server (so no-ones keychain will trust it) and include a version of the key in the repo where the key is not revoked? Would that address the issue of the key appearing and be trusted in a personal keychain, while still allowing for unit testing with the same key?
Revoking the key on the key servers while including the non-revoked version locally will work without problems, unless you actually fetch the revoked version from the key servers. Simply create a copy before revoking the key, and make sure to use a local or even new GnuPG home directory (you should do so anyway, to maintain reproducability of unit tests and keep them seperate from the developer's account). This way, you should be sure you will not have the revocation certificate in your key chain, unless somebody fetches it manually (which he's not supposed to do, you might want to document that somewhere).
Another scenario to consider is keeping the primary secret key private, but only publishing a secret subkey. This might make subsequent changes to the key actually used for encryption easier, and prevent others to mess with the primary key (create user IDs, revoke anything, issue certifications, ...).