gpg 1.0.5: unusable secret key

David Champion dgc@uchicago.edu
Thu Jun 14 16:02:02 2001


On 2001.06.14, in <87hexjchoj.fsf@alberti.gnupg.de>,
	"Werner Koch" <wk@gnupg.org> wrote:

>
> dc> don't sign that message with my old key. Can I force gpg to sign a
> dc> message using an expired key, or do I need to use an older version?
>
> An expired key is an expired key is an expired ...
>
> You can use an expired key for decrupting a message but you won't be
> able to sign something (if there are no more bugs). So the workaround
This is strange. I know it's expired, and I don't want to continue using it -- but it's all I have to validate new key information electronically. Are you saying that I should simply step back to the beginning, with no credentials, because gpg previously allowed me to think that my key was still valid, and because the situation involves some slight ambiguity about whether the key still belongs to me? I agree that gpg should not use such a key per default, but it seems that a force option is very useful here. Would you consider implementing it, or no?
> is to set the wall clock of your box back before the expiration time
> (bad idea) or change it in the source: It should be easy to find in
> g10/getkey.c, function finsih_lookup(). At two places there are tests
> on the expire time which will to a "continue" for expired keys - just
> comment the 2 continues out and print a warning.
If I have to recompile, I might as well use an old (buggy?) version for this step. I just think it's a bit silly to need two separate builds of the program in order to make a key transition under these circumstances. -- -D. dgc@uchicago.edu NSIT University of Chicago