How to get expiration date from a gpg key

Asked 21/2, 2018 at 19:52 Answered 17/4, 2023 at 11:3

Below is an exported public gpg key generated by gpg --armor --export [email protected] (email taken from gpg man ;) )

How can I get the expiration date from that key? Is there available open project or maybe a function that I can use for that?

I know that I can execute gpg --list-keys searching for [email protected] but my problem is that I get a key in the format below, and I need to pull this information in that data.

I have already username read from it using reverse engineering based on gpg rfc spec, but this time I would rather look for something better than a 'home made' approach.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (SunOS)

mQGiBFqNy1sRBADnegXzBpsnDgSudhj5S4+Lv0rwHHcJDg0nxHPf2KaefXnytzhm
tf/43xQaaPUpIg2UMV2qhdA9qczMlqe6llz7sQbi4v0QTuOPSx2EcKb364TcsG5K
RO180ghq0RmeK+EDfCn8i5aPfGucaPXpUJ9ZaRaJmEWlv57eymPEW+FAVwCgmATR
w4bcPZWyUMaO/MsB4+IA1zkEALB60PN8sA1mFyf0z9mlXYoP/T68pAHFMWd+NNcB
K7+BmHZEhTUEUwB1pfO/s6AurSCAFHUmhM2S9VBkci+EuyFVCkorZbbjCdZ3Nim5
KojcIL319mbYNyfzVkxLLbrHaSvax7xmyLY7HfXEYyJskR6fk4zB7er4VKDIh1gZ
G9T/A/9j1FslL0sBZ2YfcDVWpfofoX2hxW9Y0ihxHGpVtwcOd90RFXEt1jjDP2O2
iPkseTpxT2bG9qGK89YymKZjNnXKxZoYG0Y1peiHL4dX4EeEkGS72MWLwCUupuxh
w4MzH7mgtAV4UxXm2WjomWX8aZqJ5YQ4Cnxs0f6zcDnTSj8DvLQwSGVpbnJpY2gg
SGVpbmUgKHRlc3QpIDxoZWlucmljaGhAZHVlc3NlbGRvcmYuZGU+iGUEExECACUF
AlqNy1sCGwMFCQABUYAGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJECAy3dUnZnUw
6BUAn1ikxbVvcJ6vaARftyK/Uw6Zw9WKAJwPgbcy02HMvtjQCaCtusLl12ZdLLkC
DQRajctbEAgA1YU+9LWaSdInlCMaF639qaE8bv3JK2DbNj/0v+QwmQT81Jp6U37j
XbU+zA85nw96zwjBDz9ACg3jtQlrbg7e+ooJQMzCVYkkIJH8mkQi8JYswLFFaKRp
dJy43Gyx+ehbOT5FGfeX8VoAbuDhBJKtssmH/EEz9hYLLLZ8me88onnNOWCAAWF+
bOJSemRMppY5f9nQwUMk7uG5yv9Wk/E98w+evow10bhWs3cyCxvT6IHQSGS0m+iC
vCDhaSRy+cRf+GRqy/LyUb4z7Q4TZRrcE/X3xY7FW8/iNSlkv5oMjpFoaYBpSzkE
vdXsdOJQVZHnefkUDXTMl7OPWX9RyX1CbwADBQgAh+Bsn7lin/z8WIDIwlo7B7ag
p8YzFeJqsyPxP2I9a36mVrHOopXHotMMCPBF9lm227vXwB+z8fKoujzd9himVspo
fMA5GGvPHEya4ldha+3ChJTNgErZfkczzbcoP6YLmxI+kfW/OwjTq0Ivi0afhChR
vhb/N+hXoVcGm9ciA9xnoGE0+hZpzf5iF/SiL/T4wkCQy68PoCHxzrxWAnaqqldV
nYBEG5mUzrvqYb2iKWf24qt34og5GV4mrlNPSuvj7faE1BQe5JgEIhr8TS9Secnc
qQGJPh/+afK4Y8kl4CvQq3/BQddoFKgZdmUgaIBZN/fDqWwGfWLVx0mWXQgEbIhP
BBgRAgAPBQJajctbAhsMBQkAAVGAAAoJECAy3dUnZnUwNIwAn3+A5rGyGNZBD5qT
FgSoVvy7JcRLAKCX9sgU2by9pKxTmyZXvaUrEwGwXw==
=Ojdl
-----END PGP PUBLIC KEY BLOCK-----

Ruffle answered 21/2, 2018 at 19:52 Comment(0)

Looks like I can pipe it to gpg --list-packets and check (see EDIT at the end for a better solution):

"created" value (here it is 1519242075 -> Wed Feb 21 14:41:15 EST 2018)
or "sig created" (here it is 2018-02-21)
"key expires after" (here it is 1d0h0m)

Note - when key does not expire then the "key expires after" field is not listed.

#> gpg -a --export "Heinrich Heine" | gpg --list-packets
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
:public key packet:
        version 4, algo 17, created 1519242075, expires 0
        pkey[0]: [1024 bits]
        pkey[1]: [160 bits]
        pkey[2]: [1024 bits]
        pkey[3]: [1023 bits]
:user ID packet: "Heinrich Heine (test) <[email protected]>"
:signature packet: algo 17, keyid 2032DDD527667530
        version 4, created 1519242075, md5len 0, sigclass 0x13
        digest algo 2, begin of digest e8 15
        hashed subpkt 2 len 4 (sig created 2018-02-21)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 9 len 4 (key expires after 1d0h0m)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (key server preferences: 80)
        subpkt 16 len 8 (issuer key ID 2032DDD527667530)
        data: [159 bits]
        data: [156 bits]
:public sub key packet:
        version 4, algo 16, created 1519242075, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [3 bits]
        pkey[2]: [2048 bits]
:signature packet: algo 17, keyid 2032DDD527667530
        version 4, created 1519242075, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 34 8c
        hashed subpkt 2 len 4 (sig created 2018-02-21)
        hashed subpkt 27 len 1 (key flags: 0C)
        hashed subpkt 9 len 4 (key expires after 1d0h0m)
        subpkt 16 len 8 (issuer key ID 2032DDD527667530)
        data: [159 bits]
        data: [160 bits]

There is even a "better" way to let gpg analyze expiration date. Just run:

gpg --with-colons file.pub

See this site for explanation of the output

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS

EDIT: Use gpg --with-colon --fixed-list-mode to avoid 2038 year issue. See more: gpg --with-colon returns ????-??-?? as the expiration date. Linux Y2K issue?

Ruffle answered 21/2, 2018 at 20:50 Comment(1)

When exporting a key to just do the --list-packets command, one doesn't have to use the -a flag. When trying to debug issues or figure out how GPG works, this will help save a few keystrokes. – Checker 16/1, 2021 at 11:3

I just had the same problem and gpg --show-keys does what I needed:

gpg --show-keys tmp.pub
pub   dsa1024 2018-02-21 [SC] [expired: 2018-02-22]
      5CA8E044DC5C0AA51F29C2072032DDD527667530
uid                      Heinrich Heine (test) <[email protected]>
sub   elg2048 2018-02-21 [E] [expired: 2018-02-22]

This also works with dates beyond 2038:

❯ gpg --show-keys tmp.pub                                        
pub   rsa3072 2022-09-30 [SC] [expires: 2072-09-17]
      3625CA32A3EDCF880DB7A7B3AF745F98A77116EB
uid                      Test Test
sub   rsa3072 2022-09-30 [E] [expires: 2072-09-17]

❯ gpg --version          
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/jkirk/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Silsby answered 17/10, 2021 at 11:14 Comment(2)

We may have finally some changes in gpg! BTW would you be able to test a key with expiration beyond 2038 please? – Ruffle 22/10, 2021 at 19:27

@Ruffle yes, GPG v2.2.27 seems to work with dates beyond 2038. – Silsby 30/9, 2022 at 5:45

gpg -k

seems to be working well for me.

Godard answered 17/4, 2023 at 11:3 Comment(1)

Thank you for taking part. Unfortunately, your answer does not match the question. Your solution lists all the keys in your local key database. That means all created or imported, but here we need a solution for a file with the key independent of the import. – Khalil 5/7, 2023 at 1:23

-1

There is some possibility that also the key set to git config doesn't match with your current gpg key.

First check your gpg key:

gpg --list-secret-keys --keyid-format=long

Then check the signingkey in gitconfig

cat ~/.gitconfig
[user]
    email = [email protected]
    name = Your Name
    signingkey = XXXX

You have to make user signingkey matches with your gpg key.

Lexeme answered 17/1, 2023 at 15:38 Comment(1)

Recommended topics

Hot tags