Secret key Questions regarding expiration and backing up

Andrew Gallagher andrewg at andrewg.com
Sat Oct 15 01:16:45 CEST 2016


On 14 Oct 2016, at 23:49, gpg at noffin.com wrote:

> So for clarification then:
> 
> If there are no expiry dates on secret keys, what does this output mean then?
> 
> #gpg --list-secret-keys
> 
> <snip>
> sec   2048R/xxxxxxxx 2014-10-30 [expires: 2017-10-31]
> </snip>

The expiry date shown here is just a copy of the one on the public key. It is checked by gnupg to prevent it making signatures with a secret key that has an expired public key (and which are therefore unverifiable by others). I suppose you could think of this as being the expiry of the secret key, but it is always the same as that of the public key and the one on the public key is the important one.

> And my next question is then... When I exported my secret key and moved it
> to another machine - why did the contents of the export to file change
> between the extension of the expiration date? (I exported before and after
> to test).

I'll defer to someone more expert than me on the internals, but my understanding is that a copy of some public key information (such as expiry dates) is kept in the corresponding secret key store, and this will be updated when the public key is edited.

Andrew.



More information about the Gnupg-users mailing list