Expired keys
David Shaw
dshaw at jabberwocky.com
Tue Nov 11 23:00:56 CET 2003
On Sat, Nov 01, 2003 at 09:03:28PM +0000, Neil Williams wrote:
Content-Description: signed data
> A colleague has just changed the expiry date of his key to extend from 31/10/3
> to never. (keyid 0x8f455606)
>
> --check-sigs now displays:
> sig!3 X 28BCB3E3 2003-02-03 Neil Williams (CodeHelp)
>
> If I try to re-sign the key I get:
> Command> sign
> "<name>" was already signed by key 28BCB3E3
> Nothing to sign with key 28BCB3E3
>
> The key still shows as fully trusted.
>
> This is understandable, on reflection, but a little surprising initially.
>
> It leaves me pondering - the signature has expired (the X in the
> check-sigs output)
Yes.
> but because the key that was signed has been changed, the validity
> of the signature is preserved because it's still the same key.
No.
While the key may still be valid, the expired signature is not the
reason. An expired signature is not counted in the web of trust.
Check if there is another signature on the key in question that is
giving it some validity. Check also if your trustdb is out of date.
GnuPG tries to rebuild the trustdb as needed, but if you have
no-auto-check-trustdb set, then it cannot do so.
> Is this the expected behaviour? Is there any need / method for updating the
> signatures to reflect the new expiry of the main key?
Sure, just try and sign it again. You should get a:
Your current signature on "(whoever)" has expired.
Do you want to issue a new signature to replace the expired one? (y/N)
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
Url : /pipermail/attachments/20031111/cff6afc9/attachment.bin
More information about the Gnupg-users
mailing list