gpgsm: Cannot decrypt with expired certificate for CRL

Jens Lechtenboerger lechten at
Mon Mar 25 14:30:23 CET 2019

On 2019-03-25, Jens Lechtenboerger wrote:

> Hi there,
> I’m using gpgsm (GnuPG) 2.2.13.  For some reason, a CRL obtained by
> dirmngr is signed with an expired certificate.

I need to correct myself after feedback from our Certificate
Authority: The CRL was not signed with an expired certificate but
with a valid certificate that happens to share the keygrip (Subject
Key Identifier) with an expired one.  The lookup by dirmngr lead to
the expired certificate, while also a valid certificate exists.

> [...]
> Yes, CRLs should not be signed with expired certificates.  However,
> is the fact that gpgsm prevents me from using my certificate a bug
> or a feature?
> As workaround I now have disable-crl-checks in my gpgsm.conf.
> Should I file a bug report?

Best wishes

More information about the Gnupg-devel mailing list