Page MenuHome GnuPG - static
Create Task
Maniphest T8019

gpg does not print warning about untrusted key when verifying signatures made by expired (and untrusted) keys
Open, NormalPublic
Actions

Description

If I verify a signature made with an untrusted key (e.g. own key with owner trust undefined) then gpg prints

gpg: Signature made Di 06 Jan 2026 16:35:20 CET
gpg:                using EDDSA key 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
gpg: Good signature from "t7790-expired" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE

If I repeat this after expiring the untrusted key then gpg prints

gpg: Signature made Di 06 Jan 2026 16:35:20 CET
gpg:                using EDDSA key 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
gpg: Good signature from "t7790-expired" [expired]
gpg: Note: This key has expired!
      98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE

i.e. there's no "WARNING: This key is not certified with a trusted signature!"

If I revoke the key (don't mind that I actually used a different key from the one used above) then gpg prints

gpg: Signature made Mi 07 Jan 2026 10:48:38 CET
gpg:                using EDDSA key 70709DA5588B9BC41D90845D73D10B0634EE46BA
gpg: Good signature from "t7790-revoked" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.
gpg: reason for revocation: No reason specified
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      70709DA5588B9BC41D90845D73D10B0634EE46BA

i.e. there's a warning about the revocation and a warning about the missing trusted key signature.

Given T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification I assume that the warning about the missing trusted key signature should also be printed when verifying signatures made with expired keys.

Details

Version
gnupg 2.5.17-beta3

Related Objects
Search...

Event Timeline

ikloecker created this task.Jan 7 2026, 11:20 AM
ikloecker added a comment.Jan 7 2026, 11:42 AM

Interestingly, gpg also prints the warning about the missing trusted key signature when verifying a signature made with a revoked key that has a valid certification by a trusted key. This could be intentional (because the revocation invalidates all certifications), but it's still a bit surprising.

ikloecker mentioned this in T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification.Jan 7 2026, 12:00 PM
werner triaged this task as Normal priority.Jan 7 2026, 12:02 PM
werner added projects: OpenPGP, S/MIME, Feature Request.
werner added a subscriber: werner.

Traditionally we have considered expired and revoked more or less similar. The idea is that an expired key might have been compromised but the owner did not found a way to revoke it. We may want to change this policy because some users don't care too much about expired keys (cf. T7990) .

werner added a parent task: T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification.Jan 7 2026, 12:03 PM
thesamesam added a subscriber: thesamesam.Jan 15 2026, 9:36 PM
ebo raised the priority of this task from Normal to High.Jan 21 2026, 11:39 AM
ebo added a subscriber: ebo.

setting to High as we need this for T7790

werner added a comment.Wed, Apr 29, 4:36 PM

That is actually more complicated than I initially though. The reason is that expired is used like a trust level:

static int
trust_letter (unsigned int value)
{
  switch( (value & TRUST_MASK) )
    {
    case TRUST_UNKNOWN:   return '-';
    case TRUST_EXPIRED:   return 'e';
    case TRUST_UNDEFINED: return 'q';
    case TRUST_NEVER:     return 'n';
    case TRUST_MARGINAL:  return 'm';
    case TRUST_FULLY:     return 'f';
    case TRUST_ULTIMATE:  return 'u';
    default:              return '?';
    }
}

Changing this requires some rethinking and a lot of work. There is also a substantial regression risk.

ebo lowered the priority of this task from High to Normal.Thu, Apr 30, 10:44 AM