Changing the expiration date after the key has expired

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 2 18:40:59 CEST 2009


On 06/02/2009 10:14 AM, Vincent Panel wrote:
> I just wondered if it was possible to postpone the expiration date
> after it has been set and/or after the deadline has been reached.

yes, this is possible.  Assming you're talking about 56B55C11, it looks
like you've successfully done so.

> I've tried to export the result and put it on the mit keyserver but it
> failed. According to the message I've read, it was because my userids
> wer signed by two keys (which is more or less wrong : I've checked and
> they are signed twice by the same key, but at different dates).

It's actually self-signed three times by the same key:

 * the original self-signature
 * the new self-signature with the updated expiration
 * a third self-signature which moves the "primary User ID" flag from
one UID to another.


If pgp.mit.edu rejected the key, that's a bug in that keyserver.

I just tried pulling this key from pgp.mit.edu and from
pool.sks-keyservers.net, and found that pgp.mit.edu only had the first
two self-sigs on each UID, while pool.sks-keyservers.net had all three.

then i tried pushing the full key (with all three self-sigs) back to
pgp.mit.edu.  After that, pgp.mit.edu returned all three self-sigs.

So it seems there was a buggy propagation in there, but i might have
just fixed it manually for this specific key.

(the explicit steps described above were:

umask 077
mkdir yohonet yohonet/mit yohonet/sks
GNUPGHOME=yohonet/mit gpg --keyserver pgp.mit.edu --recv 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver pool.sks-keyservers.net --recv
56B55C11
GNUPGHOME=yohonet/sks gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver pgp.mit.edu --send 56B55C11
GNUPGHOME=yohonet/mit gpg --keyserver pgp.mit.edu --recv 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11

)

I'd be interested in seeing the error output you got from sending the
key to pgp.mit.edu.  When i sent the full key back to pgp.mit.edu, i got
no error message at all, just the expected line from gpg:

 gpg: sending key 56B55C11 to hkp server pgp.mit.edu

> What
> is strange is I've tried another keyserver and it worked (without
> removing the expired signature).

It's probably a good idea to use the other keyserver then, and avoid
pgp.mit.edu.

> But, well, the real problem is that now, even if my new subkey has
> been imported successfully, the primary key on the keyserver still has
> the old expiration date set - i.e. the primary key has expired : do
> you know if I can update the key on the keyserver so that it is aware
> of the new expiration date ?

this is already done.  the old self-signature with the old expiration
date will persist forever, but the new self-sig has a more recent
creation date, and RFC-compliant OpenPGP implementations will respect it.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090602/2e83be08/attachment-0001.pgp>


More information about the Gnupg-users mailing list