setting expiration date changes primary UID (was: Re: GnuPG race causes misordered uids?

David Shaw dshaw at
Tue May 27 19:11:02 CEST 2003

Hash: SHA1

On Tue, May 27, 2003 at 10:29:35AM +0200, Marcus Brinkmann wrote:
> On Tue, May 27, 2003 at 09:30:19AM +0200, Werner Koch wrote:
> > On Tue, 27 May 2003 06:29:39 +0200, Marcus Brinkmann said:
> > 
> > > key.  This reveals a completely unrelated bug in GPG.  Setting the
> > > expiration date of a key changes the primary UID!
> > 
> > Its a feature not a bug.  The primary UID is the one with the primary
> > uid flag set or in absence of this flag the UID with the newest
> > self-signature.  Changing the expiration time creates a new
> > self-signature using the current time.
> So what happens, supposedly, is that the currently primary UID gets its self
> signature first, and then the others.  As it happens, a new second begins
> between that and one of the secondary UIDs becomes primary UID then because
> they have newer self-signatures.  Wonderful :)

I agree this isn't a bug, but at the same time I think that we should
change the behavior when setting an expiration date.  While it is true
that if a user wants a particular uid to be primary, they should use
the primary uid flag, if they don't use such a flag, then we should at
least maintain the status quo when manipulating the key.

As things are now, the selection of primary user ID in a key without
the primary uid flag set is nondeterministic when the user changes the
expiration date.  It violates the principle of least surprise.

I think it would be reasonable to ensure that the earliest user ID
before the "expire" command is still the earliest after the command.

Version: GnuPG v1.2.3-cvs (GNU/Linux)


More information about the Gnupg-devel mailing list