[pkg-gnupg-maint] Bug#1013288: gnupg: Doesn't show uid expiry
Uwe Kleine-König
ukleinek at debian.org
Mon Jun 20 22:37:13 BST 2022
Package: gnupg
Version: 2.2.35-2
Severity: normal
X-Debbugs-Cc: ukleinek at debian.org
Hello,
uwe at taurus:~$ export GNUPGHOME=$(mktemp -d)
uwe at taurus:~$ curl -s https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/6637D326999B862C.asc | gpg --import
gpg: keybox '/tmp/tmp.S4Xeh1pmja/pubring.kbx' created
gpg: key 6637D326999B862C: 3 signatures not checked due to missing keys
gpg: /tmp/tmp.S4Xeh1pmja/trustdb.gpg: trustdb created
gpg: key 6637D326999B862C: public key "Philipp Zabel <pzabel at gmx.de>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
uwe at taurus:~$ gpg --with-colons --check-sigs 6637D326999B862C
tru::1:1655760525:0:3:1:5
pub:-:4096:1:6637D326999B862C:1402826245:1664799531::-:::scESC::::::23::0:
fpr:::::::::27C6398DC5B132E22A8D2B516637D326999B862C:
uid:-::::1633263532::645CAC3041C5B2B3F7D7169DC0216C1B2ACB8711::Philipp Zabel <pzabel at gmx.de>::::::::::0:
sig:?::1:0BE9E3157A1E2C64:1403019369:::::10x:::::2:
sig:!::1:6637D326999B862C:1633263532::::Philipp Zabel <pzabel at gmx.de>:13x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
uid:-::::1599034236::834E8111DE69C80CC6C776EEBD2DD3BB50DCD452::Philipp Zabel <p.zabel at pengutronix.de>::::::::::0:
sig:?::1:0BE9E3157A1E2C64:1403019369:::::10x:::::2:
sig:!::1:6637D326999B862C:1599034236::::Philipp Zabel <pzabel at gmx.de>:13x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
uid:-::::1633263531::46A0A420CBEFD71A9CE3EFCCDC59B187D056C137::Philipp Zabel <philipp.zabel at gmail.com>::::::::::0:
sig:?::1:0BE9E3157A1E2C64:1403019369:::::10x:::::2:
sig:!::1:6637D326999B862C:1633263531::::Philipp Zabel <pzabel at gmx.de>:13x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:-:4096:1:8FCC408DE8F7F370:1402826245:1664799540:::::e::::::23:
fpr:::::::::40ACEFA243542A5ADBFA706C8FCC408DE8F7F370:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <pzabel at gmx.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:-:4096:1:50C2881C709E60EB:1402828631:1664799540:::::s::::::23:
fpr:::::::::06C071855D4568AC17B8238150C2881C709E60EB:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <pzabel at gmx.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:-:255:22:D585A725183762C0:1526278694:1664799540:::::s:::::ed25519::
fpr:::::::::513BA17A59DA47D51D2F1A26D585A725183762C0:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <pzabel at gmx.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
so the key seems to have three valid uids. However the pengutronix.de
uid isn't valid any more according to hokey (marked with an arrow):
uwe at taurus:~$ gpg --export 6637D326999B862C | hokey lint
hokey (hopenpgp-tools) 0.23.6
Copyright (C) 2012-2021 Clint Adams
hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.
Key has potential validity: good
Key has fingerprint: 27C6 398D C5B1 32E2 2A8D 2B51 6637 D326 999B 862C
Checking to see if key is OpenPGPv4: V4
Checking the strength of your primary asymmetric key: RSA 4096
Checking user-ID- and user-attribute-related items:
Philipp Zabel <p.zabel at pengutronix.de>:
Self-sig hash algorithms: [SHA-256]
Preferred hash algorithms: [SHA-512, SHA-384, SHA-256, SHA-224]
--> Key expiration times: [7y2m18d25991s = Thu Sep 2 08:10:36 UTC 2021]
Key usage flags: [[sign-data, certify-keys]]
Philipp Zabel <pzabel at gmx.de>:
Self-sig hash algorithms: [SHA-256]
Preferred hash algorithms: [SHA-512, SHA-384, SHA-256, SHA-224]
Key expiration times: [8y3m18d67886s = Mon Oct 3 12:18:51 UTC 2022]
Key usage flags: [[sign-data, certify-keys]]
Philipp Zabel <philipp.zabel at gmail.com>:
Self-sig hash algorithms: [SHA-256]
Preferred hash algorithms: [SHA-512, SHA-384, SHA-256, SHA-224]
Key expiration times: [8y3m18d67886s = Mon Oct 3 12:18:51 UTC 2022]
Key usage flags: [[sign-data, certify-keys]]
Checking subkeys:
one of the subkeys is encryption-capable: True
fpr: 40AC EFA2 4354 2A5A DBFA 706C 8FCC 408D E8F7 F370
version: v4
timestamp: 20140615-095725
algo/size: RSA 4096
binding sig hash algorithms: [SHA-256]
usage flags: [[encrypt-storage, encrypt-communications]]
embedded cross-cert: False
cross-cert hash algorithms: [SHA-256]
fpr: 06C0 7185 5D45 68AC 17B8 2381 50C2 881C 709E 60EB
version: v4
timestamp: 20140615-103711
algo/size: RSA 4096
binding sig hash algorithms: [SHA-256]
usage flags: [[sign-data]]
embedded cross-cert: True
cross-cert hash algorithms: [SHA-256]
fpr: 513B A17A 59DA 47D5 1D2F 1A26 D585 A725 1837 62C0
version: v4
timestamp: 20180514-061814
algo/size: EdDSA 256
binding sig hash algorithms: [SHA-256]
usage flags: [[sign-data]]
embedded cross-cert: True
cross-cert hash algorithms: [SHA-256]
If I export the key with only the pengutronix uid, then reimport that
cleanly, gpg also notices that there is a problem:
uwe at taurus:~$ gpg --export --export-filter keep-uid="uid =~ @pengutronix.de" 6637D326999B862C > k
uwe at taurus:~$ gpg --delete-keys 6637D326999B862C
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/6637D326999B862C 2014-06-15 Philipp Zabel <pzabel at gmx.de>
Delete this key from the keyring? (y/N) y
uwe at taurus:~$ gpg --import k
gpg: key 6637D326999B862C: 1 signature not checked due to a missing key
gpg: key 6637D326999B862C: public key "Philipp Zabel <p.zabel at pengutronix.de>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
uwe at taurus:~$ gpg --with-colons --check-sigs 6637D326999B862C
tru::1:1655760883:0:3:1:5
pub:e:4096:1:6637D326999B862C:1402826245:1630570236::-:::sc::::::23::0:
fpr:::::::::27C6398DC5B132E22A8D2B516637D326999B862C:
uid:e::::1599034236::834E8111DE69C80CC6C776EEBD2DD3BB50DCD452::Philipp Zabel <p.zabel at pengutronix.de>::::::::::0:
sig:?::1:0BE9E3157A1E2C64:1403019369:::::10x:::::2:
sig:!::1:6637D326999B862C:1599034236::::Philipp Zabel <p.zabel at pengutronix.de>:13x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:e:4096:1:8FCC408DE8F7F370:1402826245:1664799540:::::e::::::23:
fpr:::::::::40ACEFA243542A5ADBFA706C8FCC408DE8F7F370:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <p.zabel at pengutronix.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:e:4096:1:50C2881C709E60EB:1402828631:1664799540:::::s::::::23:
fpr:::::::::06C071855D4568AC17B8238150C2881C709E60EB:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <p.zabel at pengutronix.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
sub:e:255:22:D585A725183762C0:1526278694:1664799540:::::s:::::ed25519::
fpr:::::::::513BA17A59DA47D51D2F1A26D585A725183762C0:
sig:!::1:6637D326999B862C:1633263540::::Philipp Zabel <p.zabel at pengutronix.de>:18x::27C6398DC5B132E22A8D2B516637D326999B862C:::8:
i.e. now the 2nd field of the uid is 'e' for expired.
Am I missing something?
Best regards
Uwe
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-debug
APT policy: (700, 'testing-debug'), (700, 'stable-security'), (700, 'stable-debug'), (700, 'testing'), (700, 'stable'), (600, 'unstable'), (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'oldstable'), (499, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnupg depends on:
ii dirmngr 2.2.35-2
ii gnupg-l10n 2.2.35-2
ii gnupg-utils 2.2.35-2
ii gpg 2.2.35-2
ii gpg-agent 2.2.35-2
ii gpg-wks-client 2.2.35-2
ii gpg-wks-server 2.2.35-2
ii gpgsm 2.2.35-2
ii gpgv 2.2.35-2
gnupg recommends no packages.
Versions of packages gnupg suggests:
pn parcimonie <none>
pn xloadimage <none>
-- no debconf information
More information about the pkg-gnupg-maint
mailing list