Changing the expiration date after the key has expired

Daniel Kahn Gillmor dkg at
Tue Jun 2 18:40:59 CEST 2009

On 06/02/2009 10:14 AM, Vincent Panel wrote:
> I just wondered if it was possible to postpone the expiration date
> after it has been set and/or after the deadline has been reached.

yes, this is possible.  Assming you're talking about 56B55C11, it looks
like you've successfully done so.

> I've tried to export the result and put it on the mit keyserver but it
> failed. According to the message I've read, it was because my userids
> wer signed by two keys (which is more or less wrong : I've checked and
> they are signed twice by the same key, but at different dates).

It's actually self-signed three times by the same key:

 * the original self-signature
 * the new self-signature with the updated expiration
 * a third self-signature which moves the "primary User ID" flag from
one UID to another.

If rejected the key, that's a bug in that keyserver.

I just tried pulling this key from and from, and found that only had the first
two self-sigs on each UID, while had all three.

then i tried pushing the full key (with all three self-sigs) back to  After that, returned all three self-sigs.

So it seems there was a buggy propagation in there, but i might have
just fixed it manually for this specific key.

(the explicit steps described above were:

umask 077
mkdir yohonet yohonet/mit yohonet/sks
GNUPGHOME=yohonet/mit gpg --keyserver --recv 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver --recv
GNUPGHOME=yohonet/sks gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver --send 56B55C11
GNUPGHOME=yohonet/mit gpg --keyserver --recv 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11


I'd be interested in seeing the error output you got from sending the
key to  When i sent the full key back to, i got
no error message at all, just the expected line from gpg:

 gpg: sending key 56B55C11 to hkp server

> What
> is strange is I've tried another keyserver and it worked (without
> removing the expired signature).

It's probably a good idea to use the other keyserver then, and avoid

> But, well, the real problem is that now, even if my new subkey has
> been imported successfully, the primary key on the keyserver still has
> the old expiration date set - i.e. the primary key has expired : do
> you know if I can update the key on the keyserver so that it is aware
> of the new expiration date ?

this is already done.  the old self-signature with the old expiration
date will persist forever, but the new self-sig has a more recent
creation date, and RFC-compliant OpenPGP implementations will respect it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090602/2e83be08/attachment-0001.pgp>

More information about the Gnupg-users mailing list