[Pkg-gnupg-maint] Bug#489225: gnupg says KEYEXPIRED even when only other subkeys are expired
Werner Koch
wk at gnupg.org
Fri Jul 4 11:22:44 UTC 2008
On Fri, 4 Jul 2008 09:35, weasel at debian.org said:
> When verifying a signature by a key that has subkeys, some of which are
> expired, GnuPG always prints KEYEXPIRED to the status-fd. It does this
> even if not the subkey that signed the message expired.
That is due to the way we generate this status line. It is a
side-effect of the key/subkey merging-cleanup process. You should not
use it to check whether a signature has was made by an expired key.
The proper way to check for this is the
EXPKEYSIG <long_keyid_or_fpr> <username>
The signature with the keyid is good, but the signature was
made by an expired key. The username is the primary one
encoded in UTF-8 and %XX escaped. The fingerprint may be used
instead of the long keyid if it is available. This is the
case with CMS and might eventually also be available for
OpenPGP.
status. I am not sure whether KEYEXPIRED is at all useful. For
example, GPGME does not use it at all. We can't remove it because it is
better for existsing scripts to fail than to claim good for an expired
key. I'll add a few word to the docs.
If you want to check for expired subkeys, it is better to use
> gpg --status-fd=2 --no-default-keyring --keyring=./debian-keyring.gpg --with-colons --list-key C745FA3527B432A691B33935D573D5B129AB4CDD
this and test
> sub:e:2048:16:D832C22513B4538B:2002-03-27:2006-03-26:::::e:
^
!-- for this.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Pkg-gnupg-maint
mailing list