Why is "--allow-non-selfsigned-uid" needed to import this key?

Steve Strobel steve.strobel at link-comm.com
Mon May 16 22:12:42 CEST 2011

At 12:50 PM 5/16/2011, Robert J. Hansen wrote:
>On Mon, 16 May 2011 11:32:15 -0600, Steve Strobel
><steve.strobel at link-comm.com> wrote:
> >         root:~> gpg --import test-key.gpg
> >         gpg: key CBF38289 was created 137948617 seconds in the future
> >         (time warp or clock problem)
>This is exactly what it sounds like: according to your certificate, it was
>created about five and a half months from now.[1]  To GnuPG, that sounds
>like something's hinky and it refuses to allow it to be imported.  You've
>managed to get around it by telling GnuPG, "listen, fine, strip off the
>hinky signature: /now/ will you accept it?"
>And in that case, sure, GnuPG will: but the consequence of it is you've
>got a UID that's missing a signature.  Hence, "allow-nonselfsigned-uid"
>must be passed on the command line.

Thanks for the tip.  Just setting the date on the embedded device 
before importing the key made it work without "--allow-non-selfsigned-uid".

That still leaves me without a straightforward solution, though.  The 
embedded device doesn't have a battery-backed clock and doesn't need 
one.  It will sometimes have Internet access and could potentially 
use NTP when available to set the date.  That seems like a lot of 
extra complexity just to import a key.  The user interface doesn't 
make it easy to ask the user for the date.  What would the security 
implications be of just setting the clock to a fixed future date 
before importing the key?

[1] As an undergraduate Prof. Hill once mused to me, "Math is funny.  You
>tell someone how many seconds are in a year, they forget it immediately.
>You tell them that accurate to half a percent there are pi seconds in a
>nanocentury and they remember it for life."  He was right, I've never
>forgotten, and that's made it easy to remember there are 31.4 million (3.14
>* 10**7) seconds in a year.  13.8 million / 31.4 million = 137/314 = 0.44
>of a year, * 12 = five and a half months, more or less.  Not really
>relevant to GnuPG, but a handy factoid for timestamp calculations, if you
>ever need to do them in a hurry.

That is a great way to remember.  Now if remembering names was just as easy...

Thanks again,

Steve Strobel
Link Communications, Inc.
1035 Cerise Rd
Billings, MT 59101-7378
(406) 245-5002 ext 102
(406) 245-4889 (fax)
WWW: http://www.link-comm.com
MailTo:steve.strobel at link-comm.com

More information about the Gnupg-users mailing list