export-filter question or bug

Werner Koch wk at gnupg.org
Tue Feb 23 18:07:33 CET 2021 

On Tue, 23 Feb 2021 13:37, Erich Eckner said:

> What am I doing wrong? Or is there something special about this key?

Nothing.  It is an interesting case.  Let's have a look at key exported
without any options (listing slightly edited):

  $ gpg --show-keys --with-sig-check c.pub 
  pub   rsa4096 2017-06-23 [SC] [expires: 2021-12-31]
        2E29129B8C684FE7A959C422714A1770ECE2DF62
  uid                      [...] <repositories at archlinux32.org>
  sig 3        714A1770ECE2DF62 2021-01-25  [...] <repositories at archlinux32.org>
  uid                      [...] <buildmaster at archlinux32.org>
  sig 3        714A1770ECE2DF62 2017-06-23  [...] <repositories at archlinux32.org>
  sub   rsa4096 2017-06-23 [S] [expires: 2021-12-31]
        FD45993ACA052203886D618205CDEE5C356A46AD
  sig          714A1770ECE2DF62 2021-01-25  [...] <repositories at archlinux32.org>

What we see is a key with two user ids.  The self-signatures binding the
user ids to the key carry important information, for example the
expiration date. 

If we look close at the self-signatures using --list-packets we see:

  :user ID packet: "[...] <buildmaster at archlinux32.org>"
  :signature packet: algo 1, keyid 714A1770ECE2DF62
          version 4, created 1498203061, md5len 0, sigclass 0x13
          [...]
          hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
          [...]

Adding this expiration value to the key creation time yields 2019-06-17
and thus the key would be expired.

  :user ID packet: "[...] <repositories at archlinux32.org>"
  :signature packet: algo 1, keyid 714A1770ECE2DF62
          version 4, created 1611599717, md5len 0, sigclass 0x13
          [...]
          hashed subpkt 9 len 4 (key expires after 4y192d3h29m)
          [...]

Adding this expiration value to the key creation time yields 2021-12-31
and thus the key would be valid.

The actual used key expiration date is the latest one seen in user id
self-signaturres, thus in out case 2021-12-31.

Now if we export just one user id as done by gpg-wks-client

  gpg --no-options -v --batch --status-fd=2 --always-trust --armor \
       --export-options=export-minimal \
       --export-filter 'keep-uid=mbox= buildmaster at archlinux32.org'
       --export -- 2E29129B8C684FE7A959C422714A1770ECE2DF62 

We get a key with the buildmaster@ user id and thus the latest
expiration date is 2019-06-17.  This is because the other user id and
its self-signature has been stripped.

Sure, this could be considered a bug in export-minimal but fixing this
would require to create a new self-signature for the exported user id
which then requires the private key and would even more confuse.
I am not sure how to solve it but it needs to be solved at least for
gpg-wks-client.  See https://dev.gnupg.org/T5323

You may simply want to change the expiration date of the key which, in
contrast to "adduid" updates all self-signatures.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210223/9e93c89c/attachment.sig>

More information about the Gnupg-users mailing list