Page MenuHome GnuPG

Subkey expiring breaks other subkeys
Closed, WontfixPublic


If key contains more than one subkey, and I edit non-first subkey, GPG breaks
first subkey signature. At first look everything seems OK, all keys are valid
and works. But if you try to export-import, GPG will filter broken first
subkey. Expiration date of edited key stays unchanged.

I've made key with 3 subkeys and exported it to original.asc. Then I've
imported this file 3 times, expire one subkey and export whole key. Now if you
try to import it - you will get expected behavior with first file and erroneous
in others.

I suppose that GPG always edit first subkey signature, not corresponding one.

I've attached my test files, password "test".


1.4.16, 2.0.22

Event Timeline

NoN set Version to 1.4.11 (d64aa7).

Please explain in detail (step by step), what you did. What OS are you using?

I'm using Linux Mint 12 Lisa, and I've tested on built-in 1.4.11 and on custom
built latest revision in repository - d64aa7.

  1. I've created key with Primary key (P0), and 3 subkeys (S1, S2, S3). Export

this key for further tests.

  1. Change expiration date of first subkey (S1). Everything seems OK.
  2. Export whole key, remove it from gpg, import again - Everything is OK.
  3. Back to step 2 - remove key, import original one.
  4. Change expiration date of second or third subkey (S2, S3). Everything seems

OK again.

  1. Export whole key, remove it from gpg, import again - we've missed S1 subkey,

and expiration date of changed subkey left as in step 1.

I've analyzed changes on each step via gpgsplit. My conclusion: GPG always edit
S1 subkey signature. Editing non-first subkey (S2, S3, S4…) edits (breaks) S1
signature. S2¸ S3… signatures leaved unchanged. GPG checks subkey signature
only at import. User doesn't know about subkeys breakage until he reexport it.

Do you need more information, or you can confirm and reproduce bug with given

werner set Due Date to Nov 30 2012, 1:00 AM.Nov 8 2012, 5:26 PM

I just tried following the steps using gpg2 (2.1.9) and I can't reproduce the
problem. It would be good if we had an exact sequence of commands that
reproduced the problem.

Thank you for quick response)

I couldn't build and test 2.1.9 right now, but bug is still here in 1.4.16 and

I've created test script for this case:

Run ./ in some working folder and then try ./ several times,
expire different subkeys, compare the result.

NoN changed Version from 1.4.11 (d64aa7) to 1.4.16, 2.0.22.Nov 23 2015, 12:26 AM
marcus claimed this task.
marcus added a project: Too Old.
marcus added a subscriber: marcus.

I have verified that it works fine in 2.1.21. I did not test 2.0.30, but that's very old, just use the latest 2.1.x version. gpg 1.4 also only receives critical fixes.

Btw, if you want to use the test script, you have to use "gpg2 --keyid-format short".

That's fine. The 2.0 branch will reach EOL in 6 months and we will
probably only do a last maintenance release. No need to backport this
fix, though.