"Key Expiration Time" signatures are not respected by GnuPG

gkostov · January 7, 2026, 9:56am

I have a key with the following dump:

:public key packet:
version 4, algo 1, **created 1420193214**, expires 0
pkey\[0\]: A3E2106A...
pkey\[1\]: 010001
keyid: B1E65ECD6670927B
# off=272 ctb=b4 tag=13 hlen=2 plen=39
:user ID packet: "XXX"
# off=313 ctb=89 tag=2 hlen=3 plen=340
:signature packet: algo 1, keyid B1E65ECD6670927B
version 4, created 1647258127, md5len 0, sigclass 0x13
digest algo 10, begin of digest 5a 28
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 2 len 4 (sig created 2022-03-14)
**hashed subpkt 9 len 4 (key expires after 8y350d1h35m)**

Strangely Kleopatra/GnuPG shows the key as “Valid forever”

but it should be expired, because : created 1420193214 = Fri Jan 02 2015 + 8y350d1h35m == Mar 2023)

Isn’t this a bug in GnuPG/Kleopatra ?

swagner · January 7, 2026, 9:58am

One of the subkeys is expired, but not the main key. The main key is valid forever.

gkostov · January 7, 2026, 10:34am

Sorry, I don’t think this is true. The mentioned signature is part of the Master key (self-signature). The complete dump of the signature is (B1E65ECD6670927B is the Master key):

:signature packet: algo 1, keyid B1E65ECD6670927B
version 4, created 1647258127, md5len 0, sigclass 0x13
digest algo 10, begin of digest 5a 28
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 7B2B5A122EA7C262AB72B5E0B1E65ECD6670927B)
hashed subpkt 2 len 4 (sig created 2022-03-14)
hashed subpkt 9 len 4 (key expires after 8y350d1h35m)
subpkt 16 len 8 (issuer key ID B1E65ECD6670927B)
data: 360F67AFEB0DFD2ABD916E6885FA705CE786B85FB0A9D6E4CECB809FD451714B07499A3F02F15E9448B2E2B85DA0C42F46A6C0B475C8B9310491CEAF87C6FD74716B4BA51A092BD6068D59E6E5EC087802A2E9C21CE3FE3733E8E2D9BF69680D6A9367CFE81FFB41E9D7B3E000A72BC27EB7CC81482EFEE490770A753A855A25BD898D0C98CABD9DD16478C49CE65F963CFD1DB5C03F9C16610D6CBAE6396C4DE0BCE41D211271F0BEC013DC3A40E570DA52E5C11FFAEB0463968AC990832BB3FADA3193AE43AD9F17CA69AAFAC89ABCACCCC183D15822325E014522C7FF835449A234622AB733237EF905E0A62496549FE8F76657B7769F67D4CC3516CB5DC6

eebb · January 7, 2026, 11:39am

And Kleopatra shows only the main key in the certificate list. For info on the subkeys open the certificate details.

gkostov · January 7, 2026, 11:46am

The mentioned signature is part of the Master key (self signature, B1E65ECD6670927B is the master key). I don’t think it is related to a subkey. Somehow GnuPG/Kleopatra ignores it

:signature packet: algo 1, keyid B1E65ECD6670927B
version 4, created 1647258127, md5len 0, sigclass 0x13
digest algo 10, begin of digest 5a 28
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 7B2B5A122EA7C262AB72B5E0B1E65ECD6670927B)
hashed subpkt 2 len 4 (sig created 2022-03-14)
hashed subpkt 9 len 4 (key expires after 8y350d1h35m)
subpkt 16 len 8 (issuer key ID B1E65ECD6670927B)