Stripping expired subkey during export?

Phil Pennock gnupg-users at
Sat Mar 4 00:13:40 CET 2017

On 2017-03-03 at 09:51 +0100, Werner Koch wrote:
> Not cleaning expired subkeys is a good thing for secret key export, so
> that you can keep on decyrpting old mails.

Sure, but this is a non-secret export, for the versions for publication.

>                                             Exporting an expired public
> key can be helpful to see your expired key.

I can see this for a signing key, so that old signatures can be
validated, but I don't see that it's a helpful default for encryption
subkeys, and since encryption subkeys are the only ones typically
created by default, that seems dominant.

> As a compatible hack we could add an 'expired' property to the
> export-filter's drop-subkey method.  Just did this:
>  gpg --export-options export-clean \
>      --export-filter drop-subkey='expired -t' \
>      --export 1e42b367 
> removes all my expired subkeys.  This is just a first step; we also need
> a properties for the key capability.

I see commit 1813f3be and will build/test this and report back on the
devel list if I experience issues.  Thanks!

> drop-sigs does not work on self-signatures - might this be your problem?
> I have not done any these, though.

Ugh, yes.  Thanks, I explored everything I could see and kept running
into roadblocks.  Thanks for clearing a new path through.


More information about the Gnupg-users mailing list