Page MenuHome GnuPG
Create Task
Maniphest T7990

export-minimal unexpectedly omits expired key
Testing, HighPublic
Actions

Description

Forwarding from a downstream bug (https://bugs.gentoo.org/967745).

export-minimal is sometimes used by e.g. distros saving a compacted keyring to a file, and expecting to later reinitialize a GnuPG installation and re-verify a signed file.

It's okay in such a case for the keyring to be expired (but bad for it to be revoked) as long as the signature itself was created before the expiration.

The documentation implies that this will work, as it says:

Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" before export except that the local copy of the key is not modified. Defaults to no.

i.e. it doesn't say anything about expiry there. Because the documentation disagrees with the impl, we aren't sure whether to fix GnuPG or fix our tooling. If GnuPG is behaving as expected, is there a way to achieve compaction without losing this information?

Reproducer with the key for linux-pam:

#!/bin/bash
set -x

export GNUPGHOME="$(mktemp -d)"

wget -q https://raw.githubusercontent.com/linux-pam/linux-pam/b7ba550110f2f93fabb50976ea920fcb656c9a8e/pgp.keys.asc -O pam.asc
gpg --import pam.asc

gpg --export --armor > pam.asc.new
gpg --export-options export-minimal --export --armor > pam.asc.new-minimal
$ diff -u <(pgpdump pam.asc.new) <(pgpdump pam.asc.new-minimal)
[...]
-Old: Public Subkey Packet(tag 14)(525 bytes)
-       Ver 4 - new
-       Public key creation time - Wed Oct 21 11:51:42 BST 2015
-       Pub alg - RSA Encrypt or Sign(pub 1)
-       RSA n(4096 bits) - ...
-       RSA e(17 bits) - ...
[...]

This means that the resulting export-minimal key cannot be used to verify https://github.com/linux-pam/linux-pam/releases/download/v1.7.1/Linux-PAM-1.7.1.tar.xz against https://github.com/linux-pam/linux-pam/releases/download/v1.7.1/Linux-PAM-1.7.1.tar.xz.asc.

Revisions and Commits

rG GnuPG
rG0bcd9be9a068 gpg: New export-option "keep-expired-subkeys"

Related Objects

Event Timeline

thesamesam created this task.Tue, Dec 23, 1:54 PM
thesamesam updated the task description. (Show Details)
thesamesam updated the task description. (Show Details)
thesamesam updated the task description. (Show Details)Tue, Dec 23, 1:58 PM
werner added a subscriber: werner.Tue, Dec 30, 1:26 PM

What about prolonging the expired key?

thesamesam added a comment.Thu, Jan 1, 1:56 AM

You mean ask ldv to renew it? Sure, can do, but we often want to check sigs that were valid at the time but are now expired (sometimes upstreams are not reachable anymore).

This sort of thing crops up "unexpectedly" when newly-wiring up signature verification for packages retroactively, not just on new releases when we expect someone to be on the other side recently.

werner added a comment.Fri, Jan 2, 11:47 AM

new export option keep-expired?

thesamesam added a comment.Sun, Jan 4, 2:35 AM

That'd be great if possible, thank you!

werner mentioned this in T8019: gpg does not print warning about untrusted key when verifying signatures made by expired (and untrusted) keys.Wed, Jan 7, 12:02 PM
werner triaged this task as High priority.Fri, Jan 9, 2:47 PM
werner edited projects, added Feature Request, gnupg26; removed Bug Report.
werner added a comment.EditedFri, Jan 9, 3:11 PM

So w/o the new option we have:

$ gpg --export -a --export-options export-minimal 296D6F29A020808E8717A8842DB5BD89A340AEB7 | gpg --show-key
pub   rsa4096 2015-10-21 [SC]
      296D6F29A020808E8717A8842DB5BD89A340AEB7
uid                      [....]

and with the new option we get:

$ gpg --export -a --export-options export-minimal,keep-expired-subkeys 296D6F29A020808E8717A8842DB5BD89A340AEB7 | gpg --show-key
pub   rsa4096 2015-10-21 [SC]
      296D6F29A020808E8717A8842DB5BD89A340AEB7
uid                      [...]
sub   rsa4096 2015-10-21 [S] [expired: 2025-10-18]
      53A7B3794CD12E3D51C336B7A8041FA839E16E36
sub   rsa4096 2015-10-21 [S] [expired: 2025-10-18]
      AAEFBA31D794455288AFCB7805454FE0559C2508
sub   rsa4096 2015-10-21 [E] [expired: 2025-10-18]
      DE98F24915C6ACDB9F19869C8177632C917E0309

gpg: WARNING: No valid encryption subkey left over.
werner added a commit: rG0bcd9be9a068: gpg: New export-option "keep-expired-subkeys".Fri, Jan 9, 3:35 PM
werner changed the task status from Open to Testing.Fri, Jan 9, 3:43 PM
werner moved this task from Backlog to QA on the gnupg26 board.