Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm

[Dr. Thomas Orgis]

Am Tue, 30 Jul 2019 13:28:32 +0200
schrieb "Dr. Thomas Orgis" <thomas.orgis at uni-hamburg.de>:

> And even with it present, is it
> correct behaviour for gpgsm to consider the chain invalid instead of
> just the cross-signature? It _does_ trust the new root cert already …
> no need for any further signature.

Just now the third colleague (all people working at German
universities) contacted me about having even a more persisting variant
of this issue, with the old root cert cross-signature being re-imported
by gpgsm and thus practically permanently breaking the use of the new
certificate.

Can we consider this a bug in gpgsm's handling of signatures or is this
really working as designed?


Regards,

Thomas


> PS: Just for fun, I'm trying to sign this post now. Maybe it won't even
> be broken by the list?

The list does break the signature. I'm not adding one now …

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg