Page MenuHome GnuPG

Kleopatra: "change validity" allows to set an expiry date in the past
Testing, HighPublic


Or more correct: seems to allow an expiry date in the past but sets one for current time (not date) which will expire in a minute.

How to reproduce:
Import (or generate) a testkey without expiry date.
Right-click -> "change vaildity date" -> vaid until -> click into the date and change it to one in the past by typing -> Ok

You get a success message, the listing in Kleopatra shows the current date as expiry date and "expired" (wait a bit or doubleclick on the certificate for the "expired" + red fontcolor to show up)

And contrary to the described new behavior in T6473, the "extended" key now has an explicitly set subkey expiry date.


[3772] org.kde.pim.kleopatra: expiry QDateTime(2023-06-04 23:59:00.000 Mitteleuropäische Sommerzeit Qt::LocalTime)
[3772] org.kde.pim.libkleo: "C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/7A62F95F55D026E06FD7449D6830D395AB44665E.key"
[3772] org.kde.pim.libkleo: newFiles ("C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/CAC536AACCFBF06B7482A87BDC72EFD9760777B3.key")
[3772] org.kde.pim.libkleo: adding
[3772]   "C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/CAC536AACCFBF06B7482A87BDC72EFD9760777B3.key" 
[3772] /end

debug lookup yields:

4 - 2023-06-05 17:34:18 gpg[7532]: Hinweis: Signaturschlüssel C5D6C919005F36A4 ist am 2023-06-05 15:34:08 verfallen



Event Timeline

werner triaged this task as High priority.Jun 9 2023, 10:41 AM
werner added a subscriber: werner.

High priority because I a fear that we will soon start to receive support questions related to this.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

We now show an error message when the user tries to set an invalid expiration date when changing the expiration date. Additionally,
the configured minimum and maximum validity period is now taken into account, i.e. for changing the expiration now the same rules are applied as for new certificates.

The changes also affect the generation of new OpenPGP certificates where the minimum possible expiration is now tomorrow instead of today (although it's possible that entering today as date manually is still accepted).

Moreover, the maximum allowed expiration date is now 2106-02-05 (if no earlier upper limit is configured). (This seemingly arbitray limit is a technical limit of v4 certificates.)

And the default expiration date should now always be forced into the allowed range everywhere where it's used.

ikloecker changed the task status from Open to Testing.Jul 27 2023, 6:54 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ikloecker.

This issue should be tested together with T6621: Kleopatra: Remove "in n days/weeks/months/years" input from Change Validity Period dialog.

The handling of the expiration date has been further unified when

  • generating a new OpenPGP certificate
  • changing the validity period of an OpenPGP certificate
  • certifying an OpenPGP certificate

It should no longer be possible to use an expiration date outside of the allowed range. Note that the allowed range for the expiration date for certifications is always between tomorrow and the technical upper limit (2106-02-05). Or no expiration.

There are still a few differences, e.g. in the Certification dialog the OK button is disabled if the date is invalid. Also the date input should be highlighted if it contains an invalid value, but that's something we should improve in all of Kleopatra.

Yes I think that can be safely backported to gpg4win/23.07

Especially since it thematically matches our improved expiration date handling in that version. And this could even be considered a bugfix.