gpgsm: Cannot decrypt with expired certificate for CRL
Jens Lechtenboerger
lechten at wi.uni-muenster.de
Mon Mar 25 10:42:52 CET 2019
Hi there,
I’m using gpgsm (GnuPG) 2.2.13. For some reason, a CRL obtained by
dirmngr is signed with an expired certificate. This prevents me
from using my certificate. Here is what happens when I try to decrypt:
$ gpgsm -d mail.p7m
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: can't sign using '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Certificate expired
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate #1C7CAD9DED77429D3CA98D1D/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Certificate expired
gpgsm: Note: won't be able to encrypt to '5E:A8:6C:19:99:8E:43:CC:CF:BB:1C:0E:35:07:FF:F6:F2:BA:3C:26': Certificate expired
Yes, CRLs should not be signed with expired certificates. However,
is the fact that gpgsm prevents me from using my certificate a bug
or a feature?
As workaround I now have disable-crl-checks in my gpgsm.conf.
Should I file a bug report?
Best wishes
Jens
More information about the Gnupg-devel
mailing list