Page MenuHome GnuPG
Create Task
Maniphest T6519

Kleopatra: "change validity" allows to set an expiry date in the past
Closed, ResolvedPublic
Actions

Description

Or more correct: seems to allow an expiry date in the past but sets one for current time (not date) which will expire in a minute.

How to reproduce:
Import (or generate) a testkey without expiry date.
Right-click -> "change vaildity date" -> vaid until -> click into the date and change it to one in the past by typing -> Ok

You get a success message, the listing in Kleopatra shows the current date as expiry date and "expired" (wait a bit or doubleclick on the certificate for the "expired" + red fontcolor to show up)

And contrary to the described new behavior in T6473, the "extended" key now has an explicitly set subkey expiry date.

Debugview:

[3772] org.kde.pim.kleopatra: expiry QDateTime(2023-06-04 23:59:00.000 Mitteleuropäische Sommerzeit Qt::LocalTime)
[3772] org.kde.pim.libkleo: "C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/7A62F95F55D026E06FD7449D6830D395AB44665E.key"
[3772] org.kde.pim.libkleo: newFiles ("C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/CAC536AACCFBF06B7482A87BDC72EFD9760777B3.key")
[3772] org.kde.pim.libkleo: adding
[3772]   "C:/Users/g10code.WIN-TEST3/AppData/Roaming/gnupg/private-keys-v1.d/CAC536AACCFBF06B7482A87BDC72EFD9760777B3.key" 
[3772] /end

debug lookup yields:

4 - 2023-06-05 17:34:18 gpg[7532]: Hinweis: Signaturschlüssel C5D6C919005F36A4 ist am 2023-06-05 15:34:08 verfallen

Details

Version
Gpg4win-4.2.0-beta339

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRAfb8d970115ac Check for valid expiration date when creating new OpenPGP certificate
rKLEOPATRAc30cedf713aa Do not rely on maximum date of combo box for unlimited validity
rKLEOPATRAc9fb37509edc Fix the check for a valid expiration date
rKLEOPATRA33555baaaeed Connect to the overriding accept
rKLEOPATRAc17ab82b9add Show an error message when the user enters an invalid expiration date
rKLEOPATRA887c68889877 Use same logic when changing expiration date as for new certificates
rKLEOPATRA625aa531193a Restrict the maximum allowed expiration date
rKLEOPATRAdef2829b42bb Take allowed range into account for default expiration date
rKLEOPATRA5356456df30f Extract the setup of the expiration combo box

Related Objects
Search...

Event Timeline

ebo created this task.Jun 5 2023, 6:16 PM
werner triaged this task as High priority.Jun 9 2023, 10:41 AM
werner added a subscriber: werner.

High priority because I a fear that we will soon start to receive support questions related to this.

ebo added a parent task: T6553: Kleopatra: Expiry date issues and improvements.Jun 22 2023, 1:55 PM
ikloecker claimed this task.Jul 27 2023, 1:38 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a commit: rKLEOPATRA5356456df30f: Extract the setup of the expiration combo box.Jul 27 2023, 6:17 PM
ikloecker added a commit: rKLEOPATRAdef2829b42bb: Take allowed range into account for default expiration date.
ikloecker added a commit: rKLEOPATRA625aa531193a: Restrict the maximum allowed expiration date.
ikloecker added a commit: rKLEOPATRA887c68889877: Use same logic when changing expiration date as for new certificates.
ikloecker added a commit: rKLEOPATRAc17ab82b9add: Show an error message when the user enters an invalid expiration date.
ikloecker added a comment.Jul 27 2023, 6:45 PM

We now show an error message when the user tries to set an invalid expiration date when changing the expiration date. Additionally,
the configured minimum and maximum validity period is now taken into account, i.e. for changing the expiration now the same rules are applied as for new certificates.

The changes also affect the generation of new OpenPGP certificates where the minimum possible expiration is now tomorrow instead of today (although it's possible that entering today as date manually is still accepted).

Moreover, the maximum allowed expiration date is now 2106-02-05 (if no earlier upper limit is configured). (This seemingly arbitray limit is a technical limit of v4 certificates.)

And the default expiration date should now always be forced into the allowed range everywhere where it's used.

ikloecker changed the task status from Open to Testing.Jul 27 2023, 6:54 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker removed ikloecker as the assignee of this task.Jul 28 2023, 9:42 AM
ikloecker added a subscriber: ikloecker.
ikloecker added a commit: rKLEOPATRA33555baaaeed: Connect to the overriding accept.Jul 28 2023, 12:54 PM
ikloecker added a commit: rKLEOPATRAc9fb37509edc: Fix the check for a valid expiration date.
ikloecker added a commit: rKLEOPATRAc30cedf713aa: Do not rely on maximum date of combo box for unlimited validity.
ikloecker added a commit: rKLEOPATRAfb8d970115ac: Check for valid expiration date when creating new OpenPGP certificate.
ikloecker mentioned this in T6621: Kleopatra: Remove "in n days/weeks/months/years" input from Change Validity Period dialog.Jul 28 2023, 12:57 PM
ikloecker added a comment.EditedJul 28 2023, 1:01 PM

This issue should be tested together with T6621: Kleopatra: Remove "in n days/weeks/months/years" input from Change Validity Period dialog.

The handling of the expiration date has been further unified when

  • generating a new OpenPGP certificate
  • changing the validity period of an OpenPGP certificate
  • certifying an OpenPGP certificate

It should no longer be possible to use an expiration date outside of the allowed range. Note that the allowed range for the expiration date for certifications is always between tomorrow and the technical upper limit (2106-02-05). Or no expiration.

There are still a few differences, e.g. in the Certification dialog the OK button is disabled if the date is invalid. Also the date input should be highlighted if it contains an invalid value, but that's something we should improve in all of Kleopatra.

ikloecker added a subscriber: aheinecke.Aug 4 2023, 1:33 PM

@aheinecke Backport to gpg4win/23.07?

aheinecke added a project: backport.Aug 9 2023, 11:35 AM

Yes I think that can be safely backported to gpg4win/23.07

Especially since it thematically matches our improved expiration date handling in that version. And this could even be considered a bugfix.

ebo mentioned this in T6736: Year 2038 issue for key validity date.Sep 26 2023, 3:40 PM
ebo closed this task as Resolved.Sep 26 2023, 3:43 PM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

works, tested with VS-Desktop-3.2.0.0-beta214.
For the remaining issue with a certain date range see T6736