Home GnuPG

Update expiration of subkeys that expired together with the primary key

Description

Update expiration of subkeys that expired together with the primary key

gpg --quick-set-expire (that is used by ChangeExpiryJob) ignores
already expired subkeys if the subkeys are specified with "*". We have
to list the subkeys to update explicitly to make gpg update them.

We request an update of the expiration for all subkeys (excluding the
primary key) which aren't revoked and which have an explicit expiration
set and which are either not yet expired or which expired at the same time
(+/- 10 seconds) as the primary key.

This covers the standard use case of an OpenPGP key with an encryption
subkey (with identical expiration) while at the same time not getting in
the way of advanced use cases with rotated subkeys.