Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm

Dr. Thomas Orgis thomas.orgis at
Wed Sep 4 13:50:06 CEST 2019

Am Tue, 30 Jul 2019 13:28:32 +0200
schrieb "Dr. Thomas Orgis" <thomas.orgis at>:

> And even with it present, is it
> correct behaviour for gpgsm to consider the chain invalid instead of
> just the cross-signature? It _does_ trust the new root cert already …
> no need for any further signature.

Just now the third colleague (all people working at German
universities) contacted me about having even a more persisting variant
of this issue, with the old root cert cross-signature being re-imported
by gpgsm and thus practically permanently breaking the use of the new

Can we consider this a bug in gpgsm's handling of signatures or is this
really working as designed?



> PS: Just for fun, I'm trying to sign this post now. Maybe it won't even
> be broken by the list?

The list does break the signature. I'm not adding one now …

Dr. Thomas Orgis
HPC @ Universität Hamburg

More information about the Gnupg-users mailing list