gpgsm: Cannot decrypt with expired certificate for CRL

Andre Heinecke aheinecke at
Tue Mar 26 07:52:02 CET 2019


On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
> Yes, CRLs should not be signed with expired certificates.  However,
> is the fact that gpgsm prevents me from using my certificate a bug
> or a feature?

For decrypt I would say: It's a bug. You should always be able to decrypt 
something for which you have the secret key IMO.

> As workaround I now have disable-crl-checks in my gpgsm.conf.
> Should I file a bug report?

Yes please. Ideally with an example certificate chain + test cert attached :-)


-- - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608,

GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke.    Mail: board at
Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-2104-4938799
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-devel mailing list