Cannot set GPG key expiration
Opened this issue · 4 comments
It fails without throwing an error.
$ onlykey-gpg init "Example <example@example.com>"
2021-07-07 07:09:40,451 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-07-07 07:09:40,473 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
5 3 5
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
6 2 3
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
sec ed25519 1970-01-01 [SCA]
4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid [ultimate] Example <example@example.com>
ssb cv25519 1970-01-01 [E]
$ gpg --list-keys
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub ed25519 1970-01-01 [SCA]
4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid [ultimate] Example <example@example.com>
sub cv25519 1970-01-01 [E]
$ gpg --edit-key 4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/4AB5CB4FDB7469B3
created: 1970-01-01 expires: never usage: SCA
trust: ultimate validity: ultimate
ssb cv25519/0F1D4FAC1750FCB0
created: 1970-01-01 expires: never usage: E
[ultimate] (1). Example <example@example.com>
gpg> key 0
sec ed25519/4AB5CB4FDB7469B3
created: 1970-01-01 expires: never usage: SCA
trust: ultimate validity: ultimate
ssb cv25519/0F1D4FAC1750FCB0
created: 1970-01-01 expires: never usage: E
[ultimate] (1). Example <example@example.com>
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 07 Jul 2023 07:11:17 AM GMT
Is this correct? (y/N) y
sec ed25519/4AB5CB4FDB7469B3
created: 1970-01-01 expires: never usage: SCA
trust: ultimate validity: ultimate
ssb cv25519/0F1D4FAC1750FCB0
created: 1970-01-01 expires: never usage: E
[ultimate] (1). Example <example@example.com>
gpg> quit
Save changes? (y/N) y
$ gpg --edit-key 4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/4AB5CB4FDB7469B3
created: 1970-01-01 expires: never usage: SCA
trust: ultimate validity: ultimate
ssb cv25519/0F1D4FAC1750FCB0
created: 1970-01-01 expires: never usage: E
[ultimate] (1). Example <example@example.com>
gpg> quit
$ onlykey-cli fwversion
v2.1.1-prodc
This still happens with firmware v2.1.2-prodc
.
I just tried setting expiration by editing, that seems to work fine.
gpg --edit-key 8B737014B66B3A4C4680CF4F3DFD6D925A6AF6A3
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/3DFD6D925A6AF6A3
created: 2023-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/26E2ABE33E1A12C8
created: 2023-02-23 expires: never usage: E
ssb ed25519/561AD01D5ED33E8E
created: 2023-02-23 expires: never usage: S
ssb cv25519/E030A3DC86C9D3DC
created: 2023-02-23 expires: never usage: E
[ultimate] (1). onlykey test onlykey@onlykey.io
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 03 Apr 2025 09:37:37 AM EDT
Is this correct? (y/N) y
sec ed25519/3DFD6D925A6AF6A3
created: 2023-02-23 expires: 2025-04-03 usage: SC
trust: ultimate validity: ultimate
ssb cv25519/26E2ABE33E1A12C8
created: 2023-02-23 expires: never usage: E
ssb ed25519/561AD01D5ED33E8E
created: 2023-02-23 expires: never usage: S
ssb cv25519/E030A3DC86C9D3DC
created: 2023-02-23 expires: never usage: E
[ultimate] (1). onlykey test onlykey@onlykey.io
There is nothing in firmware that controls key expiration that is a software feature of GnuPG
This happens to me out of the box, creating a new virtual machine on Qubes, after pip3 install onlykey-agent
, running the exact steps of my original post.
Would you mind trying those steps in a new virtual machine, instead of changing the expiration date of an already existing key?
Even if the firmware isn't controlling this, this is still an error in the documentation, because following the steps in the documentation isn't working.