Why is "--allow-non-selfsigned-uid" needed to import this key?

Robert J. Hansen rjh at sixdemonbag.org
Mon May 16 20:50:19 CEST 2011

On Mon, 16 May 2011 11:32:15 -0600, Steve Strobel
<steve.strobel at link-comm.com> wrote:
>         root:~> gpg --import test-key.gpg
>         gpg: key CBF38289 was created 137948617 seconds in the future
>         (time warp or clock problem)

This is exactly what it sounds like: according to your certificate, it was
created about five and a half months from now.[1]  To GnuPG, that sounds
like something's hinky and it refuses to allow it to be imported.  You've
managed to get around it by telling GnuPG, "listen, fine, strip off the
hinky signature: /now/ will you accept it?"

And in that case, sure, GnuPG will: but the consequence of it is you've
got a UID that's missing a signature.  Hence, "allow-nonselfsigned-uid"
must be passed on the command line.

[1] As an undergraduate Prof. Hill once mused to me, "Math is funny.  You
tell someone how many seconds are in a year, they forget it immediately. 
You tell them that accurate to half a percent there are pi seconds in a
nanocentury and they remember it for life."  He was right, I've never
forgotten, and that's made it easy to remember there are 31.4 million (3.14
* 10**7) seconds in a year.  13.8 million / 31.4 million = 137/314 = 0.44
of a year, * 12 = five and a half months, more or less.  Not really
relevant to GnuPG, but a handy factoid for timestamp calculations, if you
ever need to do them in a hurry.

More information about the Gnupg-users mailing list