gpgsm: Cannot decrypt with expired certificate for CRL
Jens Lechtenboerger
lechten at wi.uni-muenster.de
Tue Mar 26 12:57:52 CET 2019
On 2019-03-26, Andre Heinecke wrote:
> On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
>> Yes, CRLs should not be signed with expired certificates. However,
>> is the fact that gpgsm prevents me from using my certificate a bug
>> or a feature?
>
> For decrypt I would say: It's a bug. You should always be able to decrypt
> something for which you have the secret key IMO.
>
>> As workaround I now have disable-crl-checks in my gpgsm.conf.
>>
>> Should I file a bug report?
>
> Yes please. Ideally with an example certificate chain + test cert attached :-)
For the record: Deleting the expired CA certificate from my keyring
is another workaround.
I filed a bug: https://dev.gnupg.org/T4431
Creating an example for this seems complicated: A CA with two
certificates using the same key, one expired, one valid. Then, a
CSR signed by that CA. Then, a certificate signed by the CA, with
private key for decryption attempt. I do not want to provide my
private key ;)
Best wishes
Jens
More information about the Gnupg-devel
mailing list