[Pkg-gnupg-maint] Bug#489225: gnupg says KEYEXPIRED even when only other subkeys are expired
Peter Palfrader
weasel at debian.org
Fri Jul 4 12:53:09 UTC 2008
On Fri, 04 Jul 2008, Werner Koch wrote:
> On Fri, 4 Jul 2008 09:35, weasel at debian.org said:
>
> > When verifying a signature by a key that has subkeys, some of which are
> > expired, GnuPG always prints KEYEXPIRED to the status-fd. It does this
> > even if not the subkey that signed the message expired.
>
> That is due to the way we generate this status line. It is a
> side-effect of the key/subkey merging-cleanup process. You should not
> use it to check whether a signature has was made by an expired key.
Actually, all this code really cares about is that the signature is good
and was made by an OK, not-expired key.
The way it does that currently is reading the status, line by line
if GOODSIG, set goodsig=1
if BADSIG, set goodsig=0
if ERRSIG, set goodsig=0
if ...., set goodsig=0
if SIGEXPIRED set goodsig=0
|The proper way to check for this is the
|
| EXPKEYSIG <long_keyid_or_fpr> <username>
When I have a signature made by an expired key, will I get {GOODSIG,EXPKEYSIG},
or {BADSIG,EXPKEYSIG}?
Peter
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
More information about the Pkg-gnupg-maint
mailing list