Cannot set GPG key expiration

Question

Cannot set GPG key expiration

Opened this issue 3 years ago · 4 comments

It fails without throwing an error.

$ onlykey-gpg init "Example <example@example.com>"
2021-07-07 07:09:40,451 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-07-07 07:09:40,473 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
5 3 5
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
6 2 3
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec   ed25519 1970-01-01 [SCA]
      4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid           [ultimate] Example <example@example.com>
ssb   cv25519 1970-01-01 [E]

$ gpg --list-keys
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub   ed25519 1970-01-01 [SCA]
      4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid           [ultimate] Example <example@example.com>
sub   cv25519 1970-01-01 [E]

$ gpg --edit-key 4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/4AB5CB4FDB7469B3
     created: 1970-01-01  expires: never       usage: SCA 
     trust: ultimate      validity: ultimate
ssb  cv25519/0F1D4FAC1750FCB0
     created: 1970-01-01  expires: never       usage: E   
[ultimate] (1). Example <example@example.com>

gpg> key 0

sec  ed25519/4AB5CB4FDB7469B3
     created: 1970-01-01  expires: never       usage: SCA 
     trust: ultimate      validity: ultimate
ssb  cv25519/0F1D4FAC1750FCB0
     created: 1970-01-01  expires: never       usage: E   
[ultimate] (1). Example <example@example.com>

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 07 Jul 2023 07:11:17 AM GMT
Is this correct? (y/N) y

sec  ed25519/4AB5CB4FDB7469B3
     created: 1970-01-01  expires: never       usage: SCA 
     trust: ultimate      validity: ultimate
ssb  cv25519/0F1D4FAC1750FCB0
     created: 1970-01-01  expires: never       usage: E   
[ultimate] (1). Example <example@example.com>

gpg> quit
Save changes? (y/N) y
$ gpg --edit-key 4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/4AB5CB4FDB7469B3
     created: 1970-01-01  expires: never       usage: SCA 
     trust: ultimate      validity: ultimate
ssb  cv25519/0F1D4FAC1750FCB0
     created: 1970-01-01  expires: never       usage: E   
[ultimate] (1). Example <example@example.com>

gpg> quit

Answer 1 · 2021-07-07T07:33:28.000Z

$ onlykey-cli fwversion
v2.1.1-prodc

Answer 2 · 2023-04-04T08:02:18.000Z

This still happens with firmware v2.1.2-prodc.

Answer 3 · 2023-04-04T13:39:44.000Z

I just tried setting expiration by editing, that seems to work fine.

gpg --edit-key 8B737014B66B3A4C4680CF4F3DFD6D925A6AF6A3
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec ed25519/3DFD6D925A6AF6A3
created: 2023-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/26E2ABE33E1A12C8
created: 2023-02-23 expires: never usage: E
ssb ed25519/561AD01D5ED33E8E
created: 2023-02-23 expires: never usage: S
ssb cv25519/E030A3DC86C9D3DC
created: 2023-02-23 expires: never usage: E
[ultimate] (1). onlykey test onlykey@onlykey.io

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 03 Apr 2025 09:37:37 AM EDT
Is this correct? (y/N) y

sec ed25519/3DFD6D925A6AF6A3
created: 2023-02-23 expires: 2025-04-03 usage: SC
trust: ultimate validity: ultimate
ssb cv25519/26E2ABE33E1A12C8
created: 2023-02-23 expires: never usage: E
ssb ed25519/561AD01D5ED33E8E
created: 2023-02-23 expires: never usage: S
ssb cv25519/E030A3DC86C9D3DC
created: 2023-02-23 expires: never usage: E
[ultimate] (1). onlykey test onlykey@onlykey.io

There is nothing in firmware that controls key expiration that is a software feature of GnuPG

Answer 4 · 2023-04-05T02:12:51.000Z

This happens to me out of the box, creating a new virtual machine on Qubes, after pip3 install onlykey-agent, running the exact steps of my original post.

Would you mind trying those steps in a new virtual machine, instead of changing the expiration date of an already existing key?

Even if the firmware isn't controlling this, this is still an error in the documentation, because following the steps in the documentation isn't working.