gpgsm: Cannot decrypt with expired certificate for CRL

Jens Lechtenboerger lechten at
Tue Mar 26 12:57:52 CET 2019

On 2019-03-26, Andre Heinecke wrote:

> On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
>> Yes, CRLs should not be signed with expired certificates.  However,
>> is the fact that gpgsm prevents me from using my certificate a bug
>> or a feature?
> For decrypt I would say: It's a bug. You should always be able to decrypt
> something for which you have the secret key IMO.
>> As workaround I now have disable-crl-checks in my gpgsm.conf.
>> Should I file a bug report?
> Yes please. Ideally with an example certificate chain + test cert attached :-)

For the record: Deleting the expired CA certificate from my keyring
is another workaround.

I filed a bug:

Creating an example for this seems complicated: A CA with two
certificates using the same key, one expired, one valid.  Then, a
CSR signed by that CA.  Then, a certificate signed by the CA, with
private key for decryption attempt.  I do not want to provide my
private key ;)

Best wishes

More information about the Gnupg-devel mailing list