gpgsm: Cannot decrypt with expired certificate for CRL

Rainer Perske rainer.perske at
Mon Mar 25 16:41:01 CET 2019

Hello, everyone,

the problem reported by Jens Lechtenboerger is solved:

In this special case my patch that was added to GnuPG 2.2.2, see 
<>, did not help because his keyring 
contained only the old, revoked certificate and not the new, unrevoked 
one. So my patch could not select the newer certificate.

The specific problem with multiple CA certificates with the same key in 
the "old" DFN PKI "Global" hierarchy will disappear on July 9th 23:59 
UTC because then the root certificate expires.

The general problem that GnuPG has problems handling multiple 
certificates with the same key persists (see T1644) , but fixing this 
would require a major effort for a quite rare edge case.

Best greetings
Rainer Perske
Abteilung Systembetrieb und Leiter der Zertifizierungsstelle (WWUCA)
Zentrum für Informationsverarbeitung (Universitätsrechenzentrum)

Westfälische Wilhelms-Universität
Zentrum für Informationsverarbeitung
Rainer Perske
Röntgenstraße 7-13
48149 Münster

Tel.: +49 251 83-31582
Fax.: +49 251 83-31555
E-Mail: rainer.perske at
Büro: Raum 006, Röntgenstraße 11

Zertifizierungsstelle der Universität Münster (WWUCA):
Tel.: +49 251 83-31590
Fax.: +49 251 83-31555
E-Mail: ca at

Zentrum für Informationsverarbeitung (ZIV):
Tel.: +49 251 83-31600 (Mo-Fr 7:30-17:30 Uhr)
Fax.: +49 251 83-31555
E-Mail: ziv at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6807 bytes
Desc: S/MIME cryptographic signature
URL: <>

More information about the Gnupg-devel mailing list