Extending Expiration Date of an Already-Expired GPG Key

Todd Zullinger tmz at pobox.com
Sun Feb 22 16:00:31 UTC 2009 

Anne Wilson wrote:
> On Sunday 22 February 2009 08:16:04 Ed Greshko wrote:
>> That info came from the OpenPGP key management gui....
>>
>> [egreshko at misty Jia-Ying]$ gpg --list-sigs cochranb at speakeasy.net
>> pub   1024D/C2C60518 2008-01-19 [expires: 2010-02-21]
>> uid                  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
>> sig          31014A12 2008-02-14  [User ID not found]
>> sig 3        C2C60518 2009-02-21  Robert L. Cochran (Greenbelt)
>> <cochranb at speakeasy.net>
>> sig 3        C2C60518 2008-01-19  Robert L. Cochran (Greenbelt)
>> <cochranb at speakeasy.net>
>> sig       X  CA57AD7C 2008-02-03  [User ID not found]
>
> C2C60518 gives the 2010 expiry date, as it says above.  However,
> CA57AD7C shows on mine as expiring on 18/01/09.  I wonder why that
> is, and whether that is the cause of the problem?

CA57AD7C is the keyid of the PGP Global Directory Verification Key.
It always generates signatures that expire in a few weeks.

> There are some screwy things going on with gpg at the moment.
> Yesterday I opened Robert's message and got a no-key, imported it,
> and all seemed well.  This morning the same message shows 'bad
> signature'.  Something wrong, or something not updated yesterday?  I
> don't know.

The signed message Robert sent earlier in this thread has a bad
signature because something (most likely his mail client) word wrapped
the message after gpg had signed it.  I saved the message, unwrapped
the one long line and verified the signature.

FWIW, the subkey on Robert's key is still expired.  This make
encrypting to his key difficult.  In gpg, this is managed separately
from the primary key.  And again, it's acceptable to extend the
expiration date or generate a new encryption subkey.  In this case,
generating a new key has less downsides, because you don't lose any
signatures you have acquired on your key (since those signatures are
on the primary key, not the subkey).

$ gpg --list-options show-unusable-subkeys --list-sigs C2C60518
pub   1024D/C2C60518 2008-01-19 [expires: 2010-02-21]
uid                  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
sig          31014A12 2008-02-14  [User ID not found]
sig 3        C2C60518 2009-02-21  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
sig 3        C2C60518 2008-01-19  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>
sig       X  CA57AD7C 2008-02-03  PGP Global Directory Verification Key
sub   2048g/48FE9C94 2008-01-19 [expired: 2009-01-18]
sig          C2C60518 2008-01-19  Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net>

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The trouble with being punctual is that nobody's there to appreciate it.
    -- Franklin P. Jones

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090222/5e9667bd/attachment-0001.sig>

More information about the fedora-list mailing list