gpg --with-colon returns ????-??-?? as the expiration date. Linux Y2K issue?

Asked 11/9, 2018 at 14:37 Answered 30/9, 2022 at 6:2

The gpg --with-colon reports bad expiration date (although the key is usable for encryption) See "[expires: ????-??-??]"

gpg --with-colon key.ascii
pub:-:1024:17:77A54749D56561D6:2016-06-10:????-??-??::-:AAA AAA <[email protected]>:
sub:-:2048:16:44479A86F9DB1538:2016-06-10:????-??-??::: [expires: ????-??-??]

When I run --list-packets I can see that the expiration is set to 27 years in future:

gpg --list-packets key.ascii
...
        hashed subpkt 2 len 4 (sig created 2016-06-10)
        hashed subpkt 9 len 4 (key expires after 27y145d0h0m)

Does it mean that gpg has a bug in handling 2016-06-10 + 27y145d?

Is it safe to assume that the date virtually never expires and assume it did not expire because the second column in the --with-colons argument is '-' and not 'e' (see https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS for the details of --with-colons output)

Overzealous answered 11/9, 2018 at 14:37 Comment(2)

I did not reproduce and have not looked at the code, but this has a strong smell of 32 bit timestamp issues. 32 bit unixtime "ends" in 2038. – Adenectomy 11/9, 2018 at 14:46

@JensErat - sounds very reasonable! – Overzealous 11/9, 2018 at 15:25

Actually it IS Linux y2k issue. Even on Windows version of gpg. See this:

gpg --gen-key
...
Key is valid for? (0) 50y
Key expires at ????-??-??
Your system can't display dates beyond 2038.
However, it will be correctly handled up to 2106.
Is this correct? (y/N)

Yeap. Be aware that when you set expiration beyond 2038 it will impact gpg displaying expiration date and any software that relies on a proper expiration date being listed by gpg.

EDIT: Use gpg --with-colon --fixed-list-mode to print epoch time as an integer, which you can handle until 2106.

Overzealous answered 11/9, 2018 at 18:15 Comment(0)

gpg v2.2.27 seems to handle expiration dates beyond 2038 (but not beyond 2104):

❯ gpg --edit-key 3625CA32A3EDCF880DB7A7B3AF745F98A77116EB
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
[...]
sec  rsa3072/AF745F98A77116EB
     created: 2022-09-30  expires: 2024-09-29  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/4E262F439058A882
     created: 2022-09-30  expires: 2024-09-29  usage: E   
[ultimate] (1). Test Test

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Key is valid for? (0) 83y
Key expires at Thu 10 Sep 2105 07:52:56 AM CEST                     
Is this correct? (y/N) 
Key is valid for? (0) 84y             
Key expires at Tue 04 Aug 1970 12:24:46 AM CET  
invalid value        
Key is valid for? (0) 50y
Key expires at Sat 17 Sep 2072 07:39:06 AM CEST
Is this correct? (y/N) y

sec  rsa3072/AF745F98A77116EB
     created: 2022-09-30  expires: 2072-09-17  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa3072/4E262F439058A882
     created: 2022-09-30  expires: 2024-09-29  usage: E   
[ultimate] (1). Test Test

gpg> key 1   
                                                                    
sec  rsa3072/AF745F98A77116EB                  
     created: 2022-09-30  expires: 2072-09-17  usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa3072/4E262F439058A882                 
     created: 2022-09-30  expires: 2024-09-29  usage: E   
[ultimate] (1). Test Test

gpg> expire
Key is valid for? (0) 50y
Key expires at Sat 17 Sep 2072 07:43:39 AM CEST                                                                                         
Is this correct? (y/N) y

sec  rsa3072/AF745F98A77116EB                          
     created: 2022-09-30  expires: 2072-09-17  usage: SC  
     trust: ultimate      validity: ultimate  
ssb* rsa3072/4E262F439058A882     
     created: 2022-09-30  expires: 2072-09-17  usage: E   
[ultimate] (1). Test Test

gpg> q
Save changes? (y/N) y

❯ gpg --export 3625CA32A3EDCF880DB7A7B3AF745F98A77116EB > tmp.pub

❯ gpg --show-keys tmp.pub
pub   rsa3072 2022-09-30 [SC] [expires: 2072-09-17]
      3625CA32A3EDCF880DB7A7B3AF745F98A77116EB
uid                      Test Test
sub   rsa3072 2022-09-30 [E] [expires: 2072-09-17]

❯ gpg --with-colons tmp.pub
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub:u:3072:1:AF745F98A77116EB:1664516288:3241316350::u:
uid:::::::::Test Test:
sub:u:3072:1:4E262F439058A882:1664516288:3241316620:::

Parliamentary answered 30/9, 2022 at 6:2 Comment(1)

I am glad they fixed that. – Overzealous 30/9, 2022 at 13:9

Recommended topics

Hot tags