Changing the expiration date after the key has expired
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jun 2 18:40:59 CEST 2009
On 06/02/2009 10:14 AM, Vincent Panel wrote:
> I just wondered if it was possible to postpone the expiration date
> after it has been set and/or after the deadline has been reached.
yes, this is possible. Assming you're talking about 56B55C11, it looks
like you've successfully done so.
> I've tried to export the result and put it on the mit keyserver but it
> failed. According to the message I've read, it was because my userids
> wer signed by two keys (which is more or less wrong : I've checked and
> they are signed twice by the same key, but at different dates).
It's actually self-signed three times by the same key:
* the original self-signature
* the new self-signature with the updated expiration
* a third self-signature which moves the "primary User ID" flag from
one UID to another.
If pgp.mit.edu rejected the key, that's a bug in that keyserver.
I just tried pulling this key from pgp.mit.edu and from
pool.sks-keyservers.net, and found that pgp.mit.edu only had the first
two self-sigs on each UID, while pool.sks-keyservers.net had all three.
then i tried pushing the full key (with all three self-sigs) back to
pgp.mit.edu. After that, pgp.mit.edu returned all three self-sigs.
So it seems there was a buggy propagation in there, but i might have
just fixed it manually for this specific key.
(the explicit steps described above were:
umask 077
mkdir yohonet yohonet/mit yohonet/sks
GNUPGHOME=yohonet/mit gpg --keyserver pgp.mit.edu --recv 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver pool.sks-keyservers.net --recv
56B55C11
GNUPGHOME=yohonet/sks gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11
GNUPGHOME=yohonet/sks gpg --keyserver pgp.mit.edu --send 56B55C11
GNUPGHOME=yohonet/mit gpg --keyserver pgp.mit.edu --recv 56B55C11
GNUPGHOME=yohonet/mit gpg --list-sigs 56B55C11
)
I'd be interested in seeing the error output you got from sending the
key to pgp.mit.edu. When i sent the full key back to pgp.mit.edu, i got
no error message at all, just the expected line from gpg:
gpg: sending key 56B55C11 to hkp server pgp.mit.edu
> What
> is strange is I've tried another keyserver and it worked (without
> removing the expired signature).
It's probably a good idea to use the other keyserver then, and avoid
pgp.mit.edu.
> But, well, the real problem is that now, even if my new subkey has
> been imported successfully, the primary key on the keyserver still has
> the old expiration date set - i.e. the primary key has expired : do
> you know if I can update the key on the keyserver so that it is aware
> of the new expiration date ?
this is already done. the old self-signature with the old expiration
date will persist forever, but the new self-sig has a more recent
creation date, and RFC-compliant OpenPGP implementations will respect it.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090602/2e83be08/attachment-0001.pgp>
More information about the Gnupg-users
mailing list