Wrong error message when key is expired
Open, NormalPublic

Description

When a key is expired, the command to sign a message generate a error message saying the secret key is not found, instead of public key expired.

# gpg --list-secret-keys 0x51F72B6A45D40BBE                                              
sec#  rsa4096 2017-09-27 [SC] [expired: 2019-01-01]                                                            
      B44072EBDE14FC828F69F20651F72B6A45D40BBE                                                                 
uid           [ expired] Cozy Debian signing key

# echo test | gpg --no-autostart --clearsign --default-key 0x51F72B6A45D40BBE
gpg: Warning: not using '0x51F72B6A45D40BBE' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key

Using an exported GPG agent (/run/user/1000/gnupg/S.gpg-agent.extra mount to /run/user/0/gnupg/S.gpg-agent)

Host side :

gpg --version
gpg (GnuPG) 2.2.17
libgcrypt 1.8.5

Guest side :

# gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4

Details

Version
2.2.12
aeris created this task.Sep 9 2019, 4:59 PM
dkg added a subscriber: dkg.

fwiw, i can reproduce this on debian unstable with gpg version 2.2.17, without a redirected agent -- so the agent redirection isn't relevant here.

2 dkg@alice:/tmp/cdtemp.gNlTfp$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/tmp/cdtemp.gNlTfp/pubring.kbx
------------------------------
sec   rsa3072 2016-01-01 [SC] [expired: 2017-12-31]
      3B3AF2A8D2B9F973C5C9453AC3CAA6BE05EEE643
uid           [ expired] test key

0 dkg@alice:/tmp/cdtemp.gNlTfp$ echo test | gpg --clearsign
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key
2 dkg@alice:/tmp/cdtemp.gNlTfp$

It would be great to have a less misleading error message.

werner added a subscriber: werner.Sep 9 2019, 5:09 PM

You mean the default key is expired?

dkg added a comment.Sep 10 2019, 3:15 PM

yep, the implementation thinks that the default signing key is expired due to metadata contained in the public keyring. The secret key is available to the implementation. So the error mesage No secret key can cause confusion and/or panic if the user thinks they've actually lost their secret key.

as the OP suggests, it would be better to have an error message like Public key expired.

werner triaged this task as Normal priority.Sep 10 2019, 4:17 PM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).

Agreed.