Page MenuHome GnuPG
Create Task
Maniphest T4704

Wrong error message when key is expired
Closed, ResolvedPublic
Actions

Description

When a key is expired, the command to sign a message generate a error message saying the secret key is not found, instead of public key expired.

# gpg --list-secret-keys 0x51F72B6A45D40BBE                                              
sec#  rsa4096 2017-09-27 [SC] [expired: 2019-01-01]                                                            
      B44072EBDE14FC828F69F20651F72B6A45D40BBE                                                                 
uid           [ expired] Cozy Debian signing key

# echo test | gpg --no-autostart --clearsign --default-key 0x51F72B6A45D40BBE
gpg: Warning: not using '0x51F72B6A45D40BBE' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key

Using an exported GPG agent (/run/user/1000/gnupg/S.gpg-agent.extra mount to /run/user/0/gnupg/S.gpg-agent)

Host side :

gpg --version
gpg (GnuPG) 2.2.17
libgcrypt 1.8.5

Guest side :

# gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4

Details

Version
2.2.12

Revisions and Commits

rG GnuPG
rGbbad0a2644d1 gpg: Improve error message for expired default keys.

Related Objects

Event Timeline

aeris created this task.Sep 9 2019, 4:59 PM
dkg added projects: gnupg (gpg22), UI.Sep 9 2019, 5:06 PM
dkg added a subscriber: dkg.

fwiw, i can reproduce this on debian unstable with gpg version 2.2.17, without a redirected agent -- so the agent redirection isn't relevant here.

2 dkg@alice:/tmp/cdtemp.gNlTfp$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/tmp/cdtemp.gNlTfp/pubring.kbx
------------------------------
sec   rsa3072 2016-01-01 [SC] [expired: 2017-12-31]
      3B3AF2A8D2B9F973C5C9453AC3CAA6BE05EEE643
uid           [ expired] test key

0 dkg@alice:/tmp/cdtemp.gNlTfp$ echo test | gpg --clearsign
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key
2 dkg@alice:/tmp/cdtemp.gNlTfp$

It would be great to have a less misleading error message.

werner added a subscriber: werner.Sep 9 2019, 5:09 PM

You mean the default key is expired?

dkg added a comment.Sep 10 2019, 3:15 PM

yep, the implementation thinks that the default signing key is expired due to metadata contained in the public keyring. The secret key is available to the implementation. So the error mesage No secret key can cause confusion and/or panic if the user thinks they've actually lost their secret key.

as the OP suggests, it would be better to have an error message like Public key expired.

werner triaged this task as Normal priority.Sep 10 2019, 4:17 PM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).

Agreed.

finn added a subscriber: finn.Jul 3 2020, 12:49 PM
werner added a project: gnupg24.Dec 13 2022, 11:21 AM
werner removed a project: gnupg (gpg23).Jan 11 2024, 3:38 PM
werner moved this task from Backlog to WiP on the gnupg24 board.
werner changed the task status from Open to Testing.Jan 11 2024, 3:54 PM
werner added a commit: rGbbad0a2644d1: gpg: Improve error message for expired default keys..Jan 11 2024, 3:54 PM
werner moved this task from WiP to QA on the gnupg24 board.Jan 16 2024, 10:49 AM
ebo closed this task as Resolved.Jan 23 2024, 1:40 PM
ebo claimed this task.
ebo added a subscriber: ebo.

In Gpg4win-4.3.0-beta571 with GnuPG 2.4.4-beta132

>echo test | gpg --sign --default-key F8D51DE0EE16E9B57009B8DE458612006D8E6F0D
gpg: Warning: not using 'F8D51DE0EE16E9B57009B8DE458612006D8E6F0D' as default key: Key expired
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: Unusable secret key
gpg: signing failed: Unusable secret key
ebo moved this task from QA to gnupg-2.4.4 on the gnupg24 board.Jan 23 2024, 1:45 PM
ebo edited projects, added gnupg24 (gnupg-2.4.4); removed gnupg24.
werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM
Angel mentioned this in T2759: Misleading error message when trying to sign with an expired key.Feb 4 2024, 3:54 AM
Angel merged a task: T2759: Misleading error message when trying to sign with an expired key.
Angel added subscribers: valhalla, Angel, marcus.
Angel mentioned this in T6975: The option --default-key gives up too early if there are multiple matches.Feb 5 2024, 1:26 AM