Extending Expiration Date of an Already-Expired GPG Key

Todd Zullinger tmz at pobox.com
Sun Feb 22 17:02:32 UTC 2009 

Robert L Cochran wrote:
> Todd Zullinger wrote:
>> The signed message Robert sent earlier in this thread has a bad
>> signature because something (most likely his mail client) word
>> wrapped the message after gpg had signed it.  I saved the message,
>> unwrapped the one long line and verified the signature.
>>
>
> How do I fix this -- I'm using Thunderbird on Fedora 7 on my desktop
> machine. However, I travel a fair amount and when I do, I tar up my
> .thunderbird directory and scp it to my laptop, which is running
> Fedora 10. That lets me download and filter my email with the same
> mail client, although different versions of it.

Hopefully some Thunderbird users can help with that.  I would have
thought that the enigmail plugin would handle things or at least let
you know if you had settings which might cause problems.

>> FWIW, the subkey on Robert's key is still expired.  This make
>> encrypting to his key difficult.  In gpg, this is managed separately
>> from the primary key.  And again, it's acceptable to extend the
>> expiration date or generate a new encryption subkey.  In this case,
>> generating a new key has less downsides, because you don't lose any
>> signatures you have acquired on your key (since those signatures are
>> on the primary key, not the subkey).
>>
>> $ gpg --list-options show-unusable-subkeys --list-sigs C2C60518
>> pub   1024D/C2C60518 2008-01-19 [expires: 2010-02-21]
>> uid                  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
>> sig          31014A12 2008-02-14  [User ID not found]
>> sig 3        C2C60518 2009-02-21  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
>> sig 3        C2C60518 2008-01-19  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
>> sig       X  CA57AD7C 2008-02-03  PGP Global Directory Verification Key
>> sub   2048g/48FE9C94 2008-01-19 [expired: 2009-01-18]
>> sig          C2C60518 2008-01-19  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
>>
>>
> What is an acceptable way to fix this? Is there a way to remove the PGP
> Global Directory signature or update it but still keep the one from
> 31014A12 -- that's the signature of someone working for NASA who met me
> and signed my key.

I wouldn't worry about the PGP Global Directory signatures.  They
don't cause any harm.  I do believe you can remove your key from the
PGP Global Directory and they will then stop adding signatures to your
key.  However, this makes your key a bit less easily found by users of
PGP's products on Windows and Mac, as those products use the Global
Directory as their default keyserver.

What you might wish to fix is your expired subkey.  Otherwise, anyone
trying to encrypt something to you will have problems.  You can extend
the expiration on the subkey similarly to extending it on the main
key.  If you use the command line gpg tool, you could use:

gpg --edit-key C2C60518

And then select your subkey using "key 1" at the prompt.  Then use
"expire" to set a new expiration.

I don't use the GUI tools for gpg management, but it looks like
seahorse in gnome can do this.  It's the "Passwords and Encryption
Keys" item on the Accessories menu.  Opening it showed me my keys.
Double clicking the key I wanted to change brought up the key
properties.  Then on the details tab there was a subkeys item.  I
expanded that, selected my encryption subkey, and clicked the Expire
button.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Talk is cheap because supply exceeds demand.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090222/99223db4/attachment-0001.sig>

More information about the fedora-list mailing list