Hi,
I started using my current GnuPG key in 2021 and extend the expiration every year. The key was created on a Linux system and the private keys were exported to a Yubikey (and delete from disk afterwards).
When I tried to extend the expiration in 2024 something seems to be broken:
- I see a message about bad signatures on
gpg --edit-key <fpr>
- I can update the expiration date and gnupg shows the correct date, e.g. in
gpg --edit-key <fpr>
or ingpg -K <fpr>
, but exports seem to contain the old and expired date. To test that, I create a new, temporary gnupg home dir, imported the “updated” pubkey, and gpg shows me an old expiration date here.
I’ll add some information below.
hoping anyone can help,
best regards,
$user
.gnupg/gpg.conf
~/.gnupg/gpg.conf
default-key
hidden-encrypt-tokeyserver hkps://keys.openpgp.org
keyserver-options auto-key-retrieve include-revokeduse-agent
no-emit-version
require-cross-certification
no-greeting
charset utf-8
utf8-strings
debug-level nonefixed-list-mode
keyid-format longdoubled on purpose
with-fingerprint
with-fingerprint
verify-options show-uid-validity
list-options show-uid-validity
personal-cipher-preferences AES TWOFISH CAMELLIA256 CAMELLIA192 AES192 CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
digest-algo SHA512
cipher-algo AES
cert-digest-algo SHA512
s2k-cipher-algo AES256
s2k-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES BZIP2 ZLIB ZIP Uncompressed
disable-cipher-algo IDEA 3DES CAST5
disable-pubkey-algo DSA ECDH ECDSA
no-comments
ignore-time-conflict
allow-freeform-uidsig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
gpg --version
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0-unknown
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Home: /home/me/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
gpg -K
/home/user/.gnupg/pubring.kbx
sec> ed25519/ 2021-10-01 [CA] [expires: 2025-09-30
Key fingerprint = <fpr of my “root” key>
Card serial no. =
uid [ultimate] <uid 1>
uid [ultimate] <uid 2>
uid [ultimate] <uid 3>
ssb> cv25519/ 2021-10-01 [E] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =
ssb> ed25519/<short fpr 2021-10-01 [S] [expires: 2025-09-30]
Key fingerprint =
Card serial no. =
gpg --edit-key
$ gpg --edit-key <fpr of my “root” key>
gpg: key <short fpr of my “root” key>: 6 bad signatures
gpg: key <short fpr of my “root” key>: Warning: errors found and only checked self-signatures, run ‘check’ to check all signatures.
Secret key is available.
sec ed25519/<short fpr of my “root” key>
created: 2021-10-01 expires: 2025-09-30 usage: CA
card-no:
trust: ultimate validity: ultimate
ssb cv25519/
created: 2021-10-01 expires: 2025-09-30 usage: E
card-no:
ssb ed25519/
created: 2021-10-01 expires: 2025-09-30 usage: S
card-no:
[ultimate] (1). <uid 1>
[ultimate] (2) <uid 2>
[ultimate] (3) <uid 3>
gpg> check
key <short fpr of my “root” key>: 6 bad signatures