Expiration not exported, bad signatures

Hi,

I started using my current GnuPG key in 2021 and extend the expiration every year. The key was created on a Linux system and the private keys were exported to a Yubikey (and delete from disk afterwards).

When I tried to extend the expiration in 2024 something seems to be broken:

  1. I see a message about bad signatures on gpg --edit-key <fpr>
  2. I can update the expiration date and gnupg shows the correct date, e.g. in gpg --edit-key <fpr> or in gpg -K <fpr>, but exports seem to contain the old and expired date. To test that, I create a new, temporary gnupg home dir, imported the “updated” pubkey, and gpg shows me an old expiration date here.

I’ll add some information below.

hoping anyone can help,
best regards,
$user

.gnupg/gpg.conf

~/.gnupg/gpg.conf

default-key
hidden-encrypt-to

keyserver hkps://keys.openpgp.org
keyserver-options auto-key-retrieve include-revoked

use-agent

no-emit-version

require-cross-certification

no-greeting
charset utf-8
utf8-strings
debug-level none

fixed-list-mode
keyid-format long

doubled on purpose

with-fingerprint
with-fingerprint
verify-options show-uid-validity
list-options show-uid-validity
personal-cipher-preferences AES TWOFISH CAMELLIA256 CAMELLIA192 AES192 CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
digest-algo SHA512
cipher-algo AES
cert-digest-algo SHA512
s2k-cipher-algo AES256
s2k-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES BZIP2 ZLIB ZIP Uncompressed
disable-cipher-algo IDEA 3DES CAST5
disable-pubkey-algo DSA ECDH ECDSA
no-comments
ignore-time-conflict
allow-freeform-uid

sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

gpg --version

gpg (GnuPG) 2.4.7
libgcrypt 1.11.0-unknown
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/me/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpg -K

/home/user/.gnupg/pubring.kbx

sec> ed25519/ 2021-10-01 [CA] [expires: 2025-09-30
Key fingerprint = <fpr of my “root” key>
Card serial no. =
uid [ultimate] <uid 1>
uid [ultimate] <uid 2>
uid [ultimate] <uid 3>
ssb> cv25519/ 2021-10-01 [E] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =
ssb> ed25519/<short fpr 2021-10-01 [S] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =

gpg --edit-key
$ gpg --edit-key <fpr of my “root” key>
gpg: key <short fpr of my “root” key>: 6 bad signatures
gpg: key <short fpr of my “root” key>: Warning: errors found and only checked self-signatures, run ‘check’ to check all signatures.
Secret key is available.

sec ed25519/<short fpr of my “root” key>
created: 2021-10-01 expires: 2025-09-30 usage: CA
card-no:
trust: ultimate validity: ultimate
ssb cv25519/
created: 2021-10-01 expires: 2025-09-30 usage: E
card-no:
ssb ed25519/
created: 2021-10-01 expires: 2025-09-30 usage: S
card-no:
[ultimate] (1). <uid 1>
[ultimate] (2) <uid 2>
[ultimate] (3) <uid 3>

gpg> check
key <short fpr of my “root” key>: 6 bad signatures

Hi!

Please run
gpg --check-sigs -v YOURFINGERPRINT
to see which signatures are bad. Are these self-signatures?

Are you using an upstream version of something from your distro?