primary key expiration and subkeys

Ingo Klöcker kloecker at kde.org
Thu Jan 22 18:56:35 CET 2026 

On Donnerstag, 22. Januar 2026 15:46:24 Mitteleuropäische Normalzeit Bernhard 
Reiter via Gnupg-devel wrote:
> Am Dienstag 20 Januar 2026 07:31:21 schrieb Ben Kibbey:
> > Is it normal behavior to add a subkey whose expiration is after a
> > primary key

I don't think that this makes any sense because such a subkey wouldn't be 
usable after the expiration of the primary key. The usual case is to set no 
expiration for a new subkey so that the subkey expires together with the 
primary key. The alternative is to add a subkey with an expiration (long) 
before the primary key because one wants to rotate the subkey but one wants to 
keep the primary key for a longer period of time.

> > If so, it may be good to issue a warning during
> > --edit-key that a subkey expiration is later than the primary since one
> > would have to change the expiration of both the primary and subkeys to
> > make use of them.
> 
> --edit-key is a low level operation, I wonder what expert GUIs like
> Kleopatra would allow. And if it is worth the effort to add a warning here.

Kleopatra doesn't let you specify an expiration past the (current) expiration 
of the primary key when you add a new subkey. Of course, you can change the 
expiration of the primary key to an earlier date after adding the new subkey 
and explicitly tell Kleopatra not to set the expiration of the subkeys to the 
same date. Kleopatra won't try to prevent you from shooting yourself in the 
foot if you really insist on doing so.

Regarding gpg I don't think any warning is necessary. If you use a powerful 
tool like gpg then you better know what you are doing. Moreover, a subkey 
which expires after the primary key won't do any harm. If you want to continue 
using the subkey then you can simply extend the lifetime of the primary key.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260122/8870af6b/attachment.sig>

More information about the Gnupg-devel mailing list