Stripping expired subkey during export?

Werner Koch wk at
Fri Mar 3 09:51:57 CET 2017

On Fri,  3 Mar 2017 07:21, gnupg-users at said:

> Why is `export-clean` not dropping the expired subkey?  Is it that
> export-clean only filters unusable userids, not unusable subkeys?

      /* Always do the cleaning on the public key part if requested.
       * Note that both export-clean and export-minimal only apply to
       * UID sigs (0x10, 0x11, 0x12, and 0x13).  A designated
       * revocation is never stripped, even with export-minimal set.  */

Not cleaning expired subkeys is a good thing for secret key export, so
that you can keep on decyrpting old mails.  Exporting an expired public
key can be helpful to see your expired key.

For sending keys to keyserver it would actually be better to remove
expired encryption subkeys.  But the keyservers will merge them anyway.

As a compatible hack we could add an 'expired' property to the
export-filter's drop-subkey method.  Just did this:

 gpg --export-options export-clean \
     --export-filter drop-subkey='expired -t' \
     --export 1e42b367 

removes all my expired subkeys.  This is just a first step; we also need
a properties for the key capability.

>   --import-filter drop-sig='sig_digest_algo < 8'
> and then exported clean/minimal from there; but there's no change.  This
> import filter appears to do nothing.

drop-sigs does not work on self-signatures - might this be your problem?
I have not done any these, though.

> Is there a reason beyond "nobody asked for it yet" why there's no
> "expired" filter for drop-subkey/drop-sig?

No.  I added filters only when I needed them.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170303/99f660ae/attachment.sig>

More information about the Gnupg-users mailing list