[Pkg-gnupg-maint] Bug#489225: gnupg says KEYEXPIRED even when only other subkeys are expired

Peter Palfrader weasel at debian.org
Fri Jul 4 07:35:19 UTC 2008 

Package: gnupg
Version: 1.4.9

When verifying a signature by a key that has subkeys, some of which are
expired, GnuPG always prints KEYEXPIRED to the status-fd.  It does this
even if not the subkey that signed the message expired.

Consider this case:

gpg --status-fd=2 --no-default-keyring --keyring=./debian-keyring.gpg --verify << EOF
heredoc> -----BEGIN PGP SIGNED MESSAGE-----
heredoc> Hash: SHA1
heredoc> 
heredoc> Please change my Debian password
heredoc> -----BEGIN PGP SIGNATURE-----
heredoc> Version: GnuPG v1.4.9 (GNU/Linux)
heredoc> 
heredoc> iEYEARECAAYFAkhtnbwACgkQ1XPVsSmrTN0bzgCcDZXd8t/z/qfqW4aysgfTPB9a
heredoc> POwAoM32nfficYfgyxt2mbKRMzLc92L+
heredoc> =s1uj
heredoc> -----END PGP SIGNATURE-----
heredoc> EOF
gpg: Signature made Fri Jul  4 03:49:16 2008 UTC using DSA key ID 29AB4CDD
[GNUPG:] KEYEXPIRED 1186384360
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID LTMRIlMLc/oZgfzpT1KwiI0xl4k 2008-07-04 1215143356
[GNUPG:] KEYEXPIRED 1186384360
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] GOODSIG D573D5B129AB4CDD Jeremy T. Bouse (Debian Maintainer Key) <jbouse at debian.org>
gpg: Good signature from "Jeremy T. Bouse (Debian Maintainer Key) <jbouse at debian.org>"
[GNUPG:] VALIDSIG C745FA3527B432A691B33935D573D5B129AB4CDD 2008-07-04 1215143356 0 4 0 17 2 01 C745FA3527B432A691B33935D573D5B129AB4CDD
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C745 FA35 27B4 32A6 91B3  3935 D573 D5B1 29AB 4CDD

gpg --status-fd=2 --no-default-keyring --keyring=./debian-keyring.gpg --with-colons --list-key C745FA3527B432A691B33935D573D5B129AB4CDD
tru::1:1201350303:0:3:1:5
[GNUPG:] KEYEXPIRED 1186384360
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
pub:-:1024:17:D573D5B129AB4CDD:2002-03-27:::-:Jeremy T. Bouse (Debian Maintainer Key) <jbouse at debian.org>::scaESCA:
sub:e:2048:16:D832C22513B4538B:2002-03-27:2006-03-26:::::e:
sub:r:1024:17:B5F646FA582CED16:2003-08-07:2007-08-06:::::sa:
sub:r:2048:16:77814A89618EFE36:2006-04-04:2008-09-20:::::e:
sub:-:1024:17:19C9C7BFE660F20F:2006-12-19:2008-12-18:::::s:
sub:-:4096:16:89DD5FEB1FE8A55D:2006-12-19:2008-12-18:::::e:

The key that did the signature is clearly not expired, yet GnuPG warns
all over.  I think this is a bug.  It should only say KEYEXPIRED during
--verify when either the primary or the subkey which created the
signature (if that's the case) has expired.

Peter
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

More information about the Pkg-gnupg-maint mailing list