gpgsm: Cannot decrypt with expired certificate for CRL
Jens Lechtenboerger
lechten at wi.uni-muenster.de
Mon Mar 25 14:30:23 CET 2019
On 2019-03-25, Jens Lechtenboerger wrote:
> Hi there,
>
> I’m using gpgsm (GnuPG) 2.2.13. For some reason, a CRL obtained by
> dirmngr is signed with an expired certificate.
I need to correct myself after feedback from our Certificate
Authority: The CRL was not signed with an expired certificate but
with a valid certificate that happens to share the keygrip (Subject
Key Identifier) with an expired one. The lookup by dirmngr lead to
the expired certificate, while also a valid certificate exists.
> [...]
> Yes, CRLs should not be signed with expired certificates. However,
> is the fact that gpgsm prevents me from using my certificate a bug
> or a feature?
>
> As workaround I now have disable-crl-checks in my gpgsm.conf.
>
> Should I file a bug report?
Best wishes
Jens
More information about the Gnupg-devel
mailing list