export-filter question or bug
Werner Koch
wk at gnupg.org
Tue Feb 23 18:07:33 CET 2021
On Tue, 23 Feb 2021 13:37, Erich Eckner said:
> What am I doing wrong? Or is there something special about this key?
Nothing. It is an interesting case. Let's have a look at key exported
without any options (listing slightly edited):
$ gpg --show-keys --with-sig-check c.pub
pub rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
2E29129B8C684FE7A959C422714A1770ECE2DF62
uid [...] <repositories at archlinux32.org>
sig 3 714A1770ECE2DF62 2021-01-25 [...] <repositories at archlinux32.org>
uid [...] <buildmaster at archlinux32.org>
sig 3 714A1770ECE2DF62 2017-06-23 [...] <repositories at archlinux32.org>
sub rsa4096 2017-06-23 [S] [expires: 2021-12-31]
FD45993ACA052203886D618205CDEE5C356A46AD
sig 714A1770ECE2DF62 2021-01-25 [...] <repositories at archlinux32.org>
What we see is a key with two user ids. The self-signatures binding the
user ids to the key carry important information, for example the
expiration date.
If we look close at the self-signatures using --list-packets we see:
:user ID packet: "[...] <buildmaster at archlinux32.org>"
:signature packet: algo 1, keyid 714A1770ECE2DF62
version 4, created 1498203061, md5len 0, sigclass 0x13
[...]
hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
[...]
Adding this expiration value to the key creation time yields 2019-06-17
and thus the key would be expired.
:user ID packet: "[...] <repositories at archlinux32.org>"
:signature packet: algo 1, keyid 714A1770ECE2DF62
version 4, created 1611599717, md5len 0, sigclass 0x13
[...]
hashed subpkt 9 len 4 (key expires after 4y192d3h29m)
[...]
Adding this expiration value to the key creation time yields 2021-12-31
and thus the key would be valid.
The actual used key expiration date is the latest one seen in user id
self-signaturres, thus in out case 2021-12-31.
Now if we export just one user id as done by gpg-wks-client
gpg --no-options -v --batch --status-fd=2 --always-trust --armor \
--export-options=export-minimal \
--export-filter 'keep-uid=mbox= buildmaster at archlinux32.org'
--export -- 2E29129B8C684FE7A959C422714A1770ECE2DF62
We get a key with the buildmaster@ user id and thus the latest
expiration date is 2019-06-17. This is because the other user id and
its self-signature has been stripped.
Sure, this could be considered a bug in export-minimal but fixing this
would require to create a new self-signature for the exported user id
which then requires the private key and would even more confuse.
I am not sure how to solve it but it needs to be solved at least for
gpg-wks-client. See https://dev.gnupg.org/T5323
You may simply want to change the expiration date of the key which, in
contrast to "adduid" updates all self-signatures.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210223/9e93c89c/attachment.sig>
More information about the Gnupg-users
mailing list