gpg2 on a Windows 10 Pro 64 bit machine

[Robert J. Hansen]

> I am not sure what that is referring to. Also, there are numerous keys
> listed as revoked or expired. Is there a anything I can run from the
> command line that will automatically remove all revoked or expired keys?

Kinda-sorta, but yes!

WARNING: this works on my laptop for both GnuPG 2.0 and 2.1.  It may not
work on yours.

Save everything between the "=====" marks to a file named "gpgclean.ps1".


=====
# gpgclean.ps1 -- cleans expired/revoked keys from GnuPG
# Requires GnuPG 2.0 or later.
#
# Copyright 2017, Rob Hansen
#
# Permission to use, copy, modify, and/or distribute this
# software for any purpose with or without fee is hereby
# granted, provided that the above copyright notice and
# this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
# USE OR PERFORMANCE OF THIS SOFTWARE.



# Use the Windows Registry to find GnuPG's location

## Start by looking for GnuPG 2.1.  If we can't find
## it, fall back to looking for 2.0.

If (Test-Path "HKLM:\Software\WOW6432Node\GnuPG") {
	$gpgdir = Join-Path `
		-Path (Get-ItemPropertyValue `
		-Path "HKLM:\Software\WOW6432Node\GnuPG" `
		"Install Directory") `
		-ChildPath "bin"
	$gpg = Join-Path -Path $gpgdir "gpg.exe"
}
ElseIf (Test-Path "HKLM:\Software\WOW6432Node\GNU\GnuPG") {
	$gpgdir = Get-ItemPropertyValue `
		-Path "HKLM:\Software\WOW6432Node\Gnu\GnuPG" `
		"Install Directory"
	$gpg = Join-Path -Path $gpgdir "gpg2.exe"
}

# Create the two Lists we're going to use to store the
# revoked/expired private keys and the revoked/expired
# public keys
$private_keys = New-Object `
	-TypeName System.Collections.Generic.List[string]
$public_keys = New-Object `
	-TypeName System.Collections.Generic.List[string]

# Many of our "expired" keys will have new, duration-
# extending signatures.  We do a keyring refresh from the
# keyservers to ensure we don't delete anything we don't
# have to.
&$gpg --keyserver pool.sks-keyservers.net `
	--refresh

# Get the expired/revoked private and public keys
(&$gpg --keyid-format long `
	--fixed-list-mode `
	--with-colons --list-key | `
	Select-String -Pattern "^pub:(r|e)").ForEach({
	$match = [regex]::match($_, "([A-F0-9]{16})")
    $keyid = $match.Groups[1].Value
	$public_keys.Add($keyid)
	}
)

## In GnuPG 2.0, you can't figure out whether a private
## key is expired except by looking at its corresponding
## public key.  In GnuPG 2.1, you can, but the old way
## still works.  This code will therefore work with both.
If ($public_keys.Count -gt 0) {
	(&$gpg --keyid-format long `
		--fixed-list-mode `
		--with-colons --list-secret-key $public_keys | `
		Select-String -Pattern "^sec").ForEach({
		$match = [regex]::match($_, "([A-F0-9]{16})")
		$keyid = $match.Groups[1].Value
		$private_keys.Add($keyid)
		}
	)
}

# If we have revoked/expired private keys, get rid
# of them first.
if ($private_keys.Count -gt 0) {
	&$gpg --yes --delete-secret-keys $private_keys
}
# Follow up with revoked/expired public keys
if ($public_keys.Count -gt 0) {
	&$gpg --yes --delete-keys $public_keys
}
=====


Save that.  Then, in the "Ask me anything" box, type "Windows
PowerShell".  Launch the program that comes up.  You'll see a prompt like:

    PS C:\Users\rjh>

Then just type the path to gpgclean.ps1 and hit RETURN.

    PS C:\Users\rjh> .\Documents\gpgclean.ps1

It will likely appear to hang for a few minutes.  That's normal.  It's
refreshing your keyring in order to see if any certs have revised
expiration dates.  Once it finishes that, the rest goes quickly.

If there's interest, I'll put a good-looking GUI on this.