Extending Expiration Date of an Already-Expired GPG Key

Robert L Cochran cochranb at speakeasy.net
Sun Feb 22 18:32:31 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Todd Zullinger wrote:
>
>>> FWIW, the subkey on Robert's key is still expired.  This make
>>> encrypting to his key difficult.  In gpg, this is managed
>>> separately from the primary key.  And again, it's acceptable to
>>> extend the expiration date or generate a new encryption subkey.
>>> In this case, generating a new key has less downsides, because
>>> you don't lose any signatures you have acquired on your key
>>> (since those signatures are on the primary key, not the
>>> subkey).
>>>
>>> $ gpg --list-options show-unusable-subkeys --list-sigs C2C60518
>>>  pub   1024D/C2C60518 2008-01-19 [expires: 2010-02-21] uid
>>> Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net> sig
>>> 31014A12 2008-02-14  [User ID not found] sig 3        C2C60518
>>> 2009-02-21  Robert L. Cochran (Greenbelt)
>>> <cochranb at speakeasy.net> sig 3        C2C60518 2008-01-19
>>> Robert L. Cochran (Greenbelt) <cochranb at speakeasy.net> sig
>>> X  CA57AD7C 2008-02-03  PGP Global Directory Verification Key
>>> sub   2048g/48FE9C94 2008-01-19 [expired: 2009-01-18] sig
>>> C2C60518 2008-01-19  Robert L. Cochran (Greenbelt)
>>> <cochranb at speakeasy.net>
>>>
>>>
>> What is an acceptable way to fix this? Is there a way to remove
>> the PGP Global Directory signature or update it but still keep
>> the one from 31014A12 -- that's the signature of someone working
>> for NASA who met me and signed my key.
>
> I wouldn't worry about the PGP Global Directory signatures.  They
> don't cause any harm.  I do believe you can remove your key from
> the PGP Global Directory and they will then stop adding signatures
> to your key.  However, this makes your key a bit less easily found
> by users of PGP's products on Windows and Mac, as those products
> use the Global Directory as their default keyserver.
>
> What you might wish to fix is your expired subkey.  Otherwise,
> anyone trying to encrypt something to you will have problems.  You
> can extend the expiration on the subkey similarly to extending it
> on the main key.  If you use the command line gpg tool, you could
> use:
>
> gpg --edit-key C2C60518
>
> And then select your subkey using "key 1" at the prompt.  Then use
> "expire" to set a new expiration.
>
> I don't use the GUI tools for gpg management, but it looks like
> seahorse in gnome can do this.  It's the "Passwords and Encryption
> Keys" item on the Accessories menu.  Opening it showed me my keys.
> Double clicking the key I wanted to change brought up the key
> properties.  Then on the details tab there was a subkeys item.  I
> expanded that, selected my encryption subkey, and clicked the
> Expire button.
Okay, I signed the subkey. I didn't "see" that or understand it was
having a detrimental effect until you pointed it out to me. I've sent
the updated key to subkeys.pgp.net and signed this email with it. If
there are other key servers I should send this to, let me know.

Thanks

Bob

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFJoZo+6lKCpcLGBRgRAt2lAJwOkjszVn7LSDGGR9DrLDZVDiUU4wCglvKz
KNkk7uSPg66lyiZ1YvWXdG8=
=TyL6
-----END PGP SIGNATURE-----




More information about the fedora-list mailing list