[Pkg-gnupg-maint] Bug#489225: gnupg says KEYEXPIRED even when only other subkeys are expired

Peter Palfrader weasel at debian.org
Sun Jul 6 07:48:50 UTC 2008 

On Fri, 04 Jul 2008, Werner Koch wrote:

> On Fri,  4 Jul 2008 09:35, weasel at debian.org said:
> 
> > When verifying a signature by a key that has subkeys, some of which are
> > expired, GnuPG always prints KEYEXPIRED to the status-fd.  It does this
> > even if not the subkey that signed the message expired.
> 
> That is due to the way we generate this status line.  It is a
> side-effect of the key/subkey merging-cleanup process.  You should not
> use it to check whether a signature has was made by an expired key.
> 
> The proper way to check for this is the 
> 
>     EXPKEYSIG  <long_keyid_or_fpr> <username> 
>         The signature with the keyid is good, but the signature was
> 	made by an expired key. The username is the primary one
> 	encoded in UTF-8 and %XX escaped.  The fingerprint may be used
> 	instead of the long keyid if it is available.  This is the
> 	case with CMS and might eventually also be available for
> 	OpenPGP.
> 
> status.

Hmm.

This does not catch the case where the subkey is still valid but the
primary has expired:


weasel at intrepid:~/tmp$ gpg --list-key --with-colons
tru::1:1215330207:0:3:1:5
pub:e:1024:17:68F69C09ACE4A4E0:2008-05-31:2008-06-07::u:test1::sc:
sub:e:1024:17:66B1AA47DD9CC0E6:2008-06-01:2008-08-30:::::s:


weasel at intrepid:~/tmp$ gpg --status-fd=2
gpg: Go ahead and type your message ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIRG1hZrGqR92cwOYRArENAKDATAUkzfwvzmegg3HyP53ab39c7QCdFidl
nOi5nQKCy8UA70TjNl0JFH0=
=bjZl
-----END PGP SIGNATURE-----
[GNUPG:] PLAINTEXT 74 0 
foo
gpg: Signature made Tue Jun  3 00:00:01 2008 CEST using DSA key ID DD9CC0E6
[GNUPG:] KEYEXPIRED 1212876041
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID gQaMctYXXciym0sAPHhbqNnJQr8 2008-06-02 1212444001
[GNUPG:] KEYEXPIRED 1212876041
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] GOODSIG 66B1AA47DD9CC0E6 test1
gpg: Good signature from "test1"
[GNUPG:] KEYEXPIRED 1212876041
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] VALIDSIG 27D8492D06438F127938351066B1AA47DD9CC0E6 2008-06-02 1212444001 0 3 0 17 2 01 739FFD5F2C9790535D15601B68F69C09ACE4A4E0
gpg: Note: This key has expired!
Primary key fingerprint: 739F FD5F 2C97 9053 5D15  601B 68F6 9C09 ACE4 A4E0
     Subkey fingerprint: 27D8 492D 0643 8F12 7938  3510 66B1 AA47 DD9C C0E6


-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

More information about the Pkg-gnupg-maint mailing list