Page MenuHome GnuPG

Wrong error message when key is expired
Open, NormalPublic


When a key is expired, the command to sign a message generate a error message saying the secret key is not found, instead of public key expired.

# gpg --list-secret-keys 0x51F72B6A45D40BBE                                              
sec#  rsa4096 2017-09-27 [SC] [expired: 2019-01-01]                                                            
uid           [ expired] Cozy Debian signing key

# echo test | gpg --no-autostart --clearsign --default-key 0x51F72B6A45D40BBE
gpg: Warning: not using '0x51F72B6A45D40BBE' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key

Using an exported GPG agent (/run/user/1000/gnupg/S.gpg-agent.extra mount to /run/user/0/gnupg/S.gpg-agent)

Host side :

gpg --version
gpg (GnuPG) 2.2.17
libgcrypt 1.8.5

Guest side :

# gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4



Event Timeline

dkg added a subscriber: dkg.

fwiw, i can reproduce this on debian unstable with gpg version 2.2.17, without a redirected agent -- so the agent redirection isn't relevant here.

2 dkg@alice:/tmp/cdtemp.gNlTfp$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec   rsa3072 2016-01-01 [SC] [expired: 2017-12-31]
uid           [ expired] test key

0 dkg@alice:/tmp/cdtemp.gNlTfp$ echo test | gpg --clearsign
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key
2 dkg@alice:/tmp/cdtemp.gNlTfp$

It would be great to have a less misleading error message.

You mean the default key is expired?

yep, the implementation thinks that the default signing key is expired due to metadata contained in the public keyring. The secret key is available to the implementation. So the error mesage No secret key can cause confusion and/or panic if the user thinks they've actually lost their secret key.

as the OP suggests, it would be better to have an error message like Public key expired.

werner triaged this task as Normal priority.Sep 10 2019, 4:17 PM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).