Expiration not exported, bad signatures

Hi,

I started using my current GnuPG key in 2021 and extend the expiration every year. The key was created on a Linux system and the private keys were exported to a Yubikey (and delete from disk afterwards).

When I tried to extend the expiration in 2024 something seems to be broken:

  1. I see a message about bad signatures on gpg --edit-key <fpr>
  2. I can update the expiration date and gnupg shows the correct date, e.g. in gpg --edit-key <fpr> or in gpg -K <fpr>, but exports seem to contain the old and expired date. To test that, I create a new, temporary gnupg home dir, imported the “updated” pubkey, and gpg shows me an old expiration date here.

I’ll add some information below.

hoping anyone can help,
best regards,
$user

.gnupg/gpg.conf

~/.gnupg/gpg.conf

default-key
hidden-encrypt-to

keyserver hkps://keys.openpgp.org
keyserver-options auto-key-retrieve include-revoked

use-agent

no-emit-version

require-cross-certification

no-greeting
charset utf-8
utf8-strings
debug-level none

fixed-list-mode
keyid-format long

doubled on purpose

with-fingerprint
with-fingerprint
verify-options show-uid-validity
list-options show-uid-validity
personal-cipher-preferences AES TWOFISH CAMELLIA256 CAMELLIA192 AES192 CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
digest-algo SHA512
cipher-algo AES
cert-digest-algo SHA512
s2k-cipher-algo AES256
s2k-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES BZIP2 ZLIB ZIP Uncompressed
disable-cipher-algo IDEA 3DES CAST5
disable-pubkey-algo DSA ECDH ECDSA
no-comments
ignore-time-conflict
allow-freeform-uid

sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

gpg --version

gpg (GnuPG) 2.4.7
libgcrypt 1.11.0-unknown
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/me/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpg -K

/home/user/.gnupg/pubring.kbx

sec> ed25519/ 2021-10-01 [CA] [expires: 2025-09-30
Key fingerprint = <fpr of my “root” key>
Card serial no. =
uid [ultimate] <uid 1>
uid [ultimate] <uid 2>
uid [ultimate] <uid 3>
ssb> cv25519/ 2021-10-01 [E] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =
ssb> ed25519/<short fpr 2021-10-01 [S] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =

gpg --edit-key
$ gpg --edit-key <fpr of my “root” key>
gpg: key <short fpr of my “root” key>: 6 bad signatures
gpg: key <short fpr of my “root” key>: Warning: errors found and only checked self-signatures, run ‘check’ to check all signatures.
Secret key is available.

sec ed25519/<short fpr of my “root” key>
created: 2021-10-01 expires: 2025-09-30 usage: CA
card-no:
trust: ultimate validity: ultimate
ssb cv25519/
created: 2021-10-01 expires: 2025-09-30 usage: E
card-no:
ssb ed25519/
created: 2021-10-01 expires: 2025-09-30 usage: S
card-no:
[ultimate] (1). <uid 1>
[ultimate] (2) <uid 2>
[ultimate] (3) <uid 3>

gpg> check
key <short fpr of my “root” key>: 6 bad signatures

Hi!

Please run
gpg --check-sigs -v YOURFINGERPRINT
to see which signatures are bad. Are these self-signatures?

Are you using an upstream version of something from your distro?

Hi,
sorry for my large delay.
I tested you command, all bad signatures are self-signatures.

I’m using gnupg-2.4.7 out of the Gentoo/Linux package repo, without any additional patching from my side.

Gentoo applies two patches for that version that seem unrelated to my problem:

@dd9jn Pinging you again using at least 20 characters. :slight_smile:

FYI, I’ll don’t expect any further reaction here and will try other gpg software instead of gnupg.

I’m sorry that you’re not happy about the community support here. Hint for others in the future: Werner seldom answers on the forum, the better option to get feedback from him is to write to the gnupg-users mailing list.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.