Page MenuHome GnuPG
Create Task
Maniphest T8019

gpg does not print warning about untrusted key when verifying signatures made by expired (and untrusted) keys
Open, NormalPublic
Actions

Description

If I verify a signature made with an untrusted key (e.g. own key with owner trust undefined) then gpg prints

gpg: Signature made Di 06 Jan 2026 16:35:20 CET
gpg:                using EDDSA key 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
gpg: Good signature from "t7790-expired" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE

If I repeat this after expiring the untrusted key then gpg prints

gpg: Signature made Di 06 Jan 2026 16:35:20 CET
gpg:                using EDDSA key 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
gpg: Good signature from "t7790-expired" [expired]
gpg: Note: This key has expired!
      98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE

i.e. there's no "WARNING: This key is not certified with a trusted signature!"

If I revoke the key (don't mind that I actually used a different key from the one used above) then gpg prints

gpg: Signature made Mi 07 Jan 2026 10:48:38 CET
gpg:                using EDDSA key 70709DA5588B9BC41D90845D73D10B0634EE46BA
gpg: Good signature from "t7790-revoked" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.
gpg: reason for revocation: No reason specified
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      70709DA5588B9BC41D90845D73D10B0634EE46BA

i.e. there's a warning about the revocation and a warning about the missing trusted key signature.

Given T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification I assume that the warning about the missing trusted key signature should also be printed when verifying signatures made with expired keys.

Details

Version
gnupg 2.5.17-beta3

Related Objects
Search...

Event Timeline

ikloecker created this task.Wed, Jan 7, 11:20 AM
ikloecker added a comment.Wed, Jan 7, 11:42 AM

Interestingly, gpg also prints the warning about the missing trusted key signature when verifying a signature made with a revoked key that has a valid certification by a trusted key. This could be intentional (because the revocation invalidates all certifications), but it's still a bit surprising.

ikloecker mentioned this in T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification.Wed, Jan 7, 12:00 PM
werner triaged this task as Normal priority.Wed, Jan 7, 12:02 PM
werner added projects: OpenPGP, S/MIME, Feature Request.
werner added a subscriber: werner.

Traditionally we have considered expired and revoked more or less similar. The idea is that an expired key might have been compromised but the owner did not found a way to revoke it. We may want to change this policy because some users don't care too much about expired keys (cf. T7990) .

werner added a parent task: T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification.Wed, Jan 7, 12:03 PM