Certificate Expiry computed differently from GnuPG
Consider the following key:
$ sq packet dump primary-expired.pgp
Public-Key Packet, new CTB, 51 bytes
Version: 4
Creation time: 2020-09-18 11:42:14 UTC
Pk algo: EdDSA Edwards-curve Digital Signature Algorithm
Pk size: 256 bits
Fingerprint: 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
KeyID: 90BF E27A 23A2 650E
Signature Packet, new CTB, 135 bytes
Version: 4
Type: DirectKey
Pk algo: EdDSA Edwards-curve Digital Signature Algorithm
Hash algo: SHA512
Hashed area:
Signature creation time: 2020-09-18 11:42:14 UTC (critical)
Key expiration time: PT1S (critical)
Symmetric algo preferences: AES256
Hash preferences: SHA512
Key flags: CS (critical)
Features: MDC
Unhashed area:
Issuer: 90BF E27A 23A2 650E
Issuer Fingerprint: 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
Digest prefix: 3558
Level: 0 (signature over data)
User ID Packet, new CTB, 45 bytes
Value: Primary Expired <primary-expired@example.org>
Signature Packet, new CTB, 138 bytes
Version: 4
Type: PositiveCertification
Pk algo: EdDSA Edwards-curve Digital Signature Algorithm
Hash algo: SHA512
Hashed area:
Signature creation time: 2020-09-18 11:42:14 UTC (critical)
Key expiration time: P1092D (critical)
Symmetric algo preferences: AES256
Hash preferences: SHA512
Primary User ID: true (critical)
Key flags: CS (critical)
Features: MDC
Unhashed area:
Issuer: 90BF E27A 23A2 650E
Issuer Fingerprint: 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
Digest prefix: D21F
Level: 0 (signature over data)
Public-Subkey Packet, new CTB, 56 bytes
Version: 4
Creation time: 2020-09-18 11:42:14 UTC
Pk algo: ECDH public key algorithm
Pk size: 256 bits
Fingerprint: 59F4 3246 1E0D 1464 73B1 696A 06B9 4175 B79A DC56
KeyID: 06B9 4175 B79A DC56
Signature Packet, new CTB, 129 bytes
Version: 4
Type: SubkeyBinding
Pk algo: EdDSA Edwards-curve Digital Signature Algorithm
Hash algo: SHA512
Hashed area:
Signature creation time: 2020-09-18 11:42:14 UTC (critical)
Key expiration time: P1092D (critical)
Key flags: EtEr (critical)
Features: MDC
Unhashed area:
Issuer: 90BF E27A 23A2 650E
Issuer Fingerprint: 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
Digest prefix: FED5
Level: 0 (signature over data)
The direct key signature says it expires in a minute, but the user id self-sigs say in 3 years.
sq inspect
says:
$ sq inspect primary-expired.pgp
../../rnp-unhashed-subpackets/primary-expired.pgp: OpenPGP Certificate.
Fingerprint: 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
Public-key algo: EdDSA Edwards-curve Digital Signature Algorithm
Public-key size: 256 bits
Creation time: 2020-09-18 11:42:14 UTC
Expiration time: 2023-09-15 11:42:14 UTC (creation time + P1092D)
Key flags: certification, signing
Subkey: 59F4 3246 1E0D 1464 73B1 696A 06B9 4175 B79A DC56
Public-key algo: ECDH public key algorithm
Public-key size: 256 bits
Creation time: 2020-09-18 11:42:14 UTC
Expiration time: 2023-09-15 11:42:14 UTC (creation time + P1092D)
Key flags: transport encryption, data-at-rest encryption
UserID: Primary Expired <primary-expired@example.org>
That is, it takes the primary key's expiration from the primary user id's self sig.
gpg
, however, considers the key to be expired:
$ gpg --import primary-expired.pgp
gpg: key 0x90BFE27A23A2650E: public key "Primary Expired <primary-expired@example.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg -k primary-expired
pub ed25519/0x90BFE27A23A2650E 2020-09-18 [SC] [expired: 2020-09-18]
Key fingerprint = 7FA0 72DA 0EAC F6C0 A44B 167B 90BF E27A 23A2 650E
uid [ expired] Primary Expired <primary-expired@example.org>
$ echo | gpg -a -e -r 0x90BFE27A23A2650E
gpg: 0x90BFE27A23A2650E: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
This needs investigation.primary-expired.pgp
Edited by Neal H. Walfield