gpgsm: Cannot decrypt with expired certificate for CRL

Jens Lechtenboerger lechten at
Tue Mar 26 13:43:47 CET 2019

On 2019-03-26, Jens Lechtenboerger wrote:

> On 2019-03-26, Andre Heinecke wrote:
>> On Monday 25 March 2019 10:42:52 CET Jens Lechtenboerger wrote:
>>> Yes, CRLs should not be signed with expired certificates.  However,
>>> is the fact that gpgsm prevents me from using my certificate a bug
>>> or a feature?
>> For decrypt I would say: It's a bug. You should always be able to decrypt
>> something for which you have the secret key IMO.
>>> As workaround I now have disable-crl-checks in my gpgsm.conf.
>>> Should I file a bug report?
>> Yes please. Ideally with an example certificate chain + test cert attached :-)
> For the record: Deleting the expired CA certificate from my keyring
> is another workaround.

That was too fast.  The presence or absence of the expired
certificate in my keyring does not matter.  The check by dirmngr
fails regardless.

Along the way I also executed this:
$ gpgsm -k --with-validation

This populated ~/.gnupg/crls.d/ with CRLs, which I did not realize.
I guessed that removing the expired certificate solved the problem,
while really those cached CRLs were used.  With those present, the
expired certificate can be on the keyring as well.

Best wishes

More information about the Gnupg-devel mailing list