[Pkg-gnupg-maint] Bug#489225: gnupg says KEYEXPIRED even when only other subkeys are expired

[Werner Koch]

On Fri,  4 Jul 2008 09:35, weasel at debian.org said:

> When verifying a signature by a key that has subkeys, some of which are
> expired, GnuPG always prints KEYEXPIRED to the status-fd.  It does this
> even if not the subkey that signed the message expired.

That is due to the way we generate this status line.  It is a
side-effect of the key/subkey merging-cleanup process.  You should not
use it to check whether a signature has was made by an expired key.

The proper way to check for this is the 

    EXPKEYSIG  <long_keyid_or_fpr> <username> 
        The signature with the keyid is good, but the signature was
	made by an expired key. The username is the primary one
	encoded in UTF-8 and %XX escaped.  The fingerprint may be used
	instead of the long keyid if it is available.  This is the
	case with CMS and might eventually also be available for
	OpenPGP.

status.  I am not sure whether KEYEXPIRED is at all useful.  For
example, GPGME does not use it at all.  We can't remove it because it is
better for existsing scripts to fail than to claim good for an expired
key.  I'll add a few word to the docs.

If you want to check for expired subkeys, it is better to use

> gpg --status-fd=2 --no-default-keyring --keyring=./debian-keyring.gpg --with-colons --list-key C745FA3527B432A691B33935D573D5B129AB4CDD

this and test

> sub:e:2048:16:D832C22513B4538B:2002-03-27:2006-03-26:::::e:
      ^
      !-- for this.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.