Can't update an expired PGP key

--
*Jorge Gonzalez Villalonga*
Systems Engineer
*The International Consortium of Investigative Journalists*
<https://www.icij.org>
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United States
Phone: +34 672 173 200 (Madrid, Spain)

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Thu, 2021-04-15 at 10:23 +0200, Jorge Gonzalez via Users wrote:

Hi listers,
I'm having trouble updating my expired PGP key in a CIphermail
instance. Here is what I did:
My public key was expired, so I generated a new public key with no
expiration date. I tested it locally in Thunderbird: I deleted my old
public key; I imported the new one and tried to send some encrypted
emails. All fine.
I uploaded my PGP key to our own PGP key server (
https://pgpkeys.icij.org) and made sure the new public key was in
place: I downloaded and checked the downloaded one, it was the
correct one without the expiration date.
I logged in to our CIphermail instance, went to PGP area, and
searched for my old, expired key. It showed as expired, and I deleted
it. I verified that my key was no longer available in Ciphermail.
I went to the "Search keys" area, to download again my new key from
our PGP keyserver into CIphermail (our CIphermail is configured with
just one PGP keyserver: our private one).
I located my new key, it showed the right one: recently created and
no expiration date. I imported it into Ciphermail.
When I go again to the main PGP keys and search for my key, it shows
again my key as expired.
If I click on "Download Public keys" link, the downloaded public key
is the _good_ one, without an expiration date.
So it seems I can't update my expired PGP key. It looks like
Ciphermail is somehow keeping my expiration date somewhere, and
ignoring the new "non-expiration" from the newly downloaded key, even
if I delete the old key and reimport the new one.
Any ideas?
J.
--
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)

El 16/4/21 a las 10:38, Martijn Brinkers escribió:

Hi Jorge,

This looks like a bug. It is debatable what it means if there is a
signature which says that a key is expired and there is another
signature which says that the key never expires. That said, the new
signature that says that the key never expires is newer so it should
prevail. I will look into it. As a workaround you might try to create a
new key signature with an expiration date far in the future.

I'll look into the issue

Kind regards,

Martijn Brinkers

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Fri, 2021-04-16 at 17:48 +0200, Jorge Gonzalez wrote:

Hi Martijn,
thanks, this did the trick for the moment.
Now I have spotted some more glitches about this:
At first, I changed the expiration date of my public key to 10 years
in the future, and saved. I did _not_ change the expiration date of
the SSB (signing key), which was still non-expiring.
I exported the pub key (which includes both pubkeys? confirm...),
reuploaded it to our PGP keyserver, and reimported it into
Ciphermail.
Now Ciphermail showed the expiration date correctly, 10 years in the
future.
When I searched for the new key while importing, though, the found
key was being shown as non-expiring.
With this key imported in CIphermail, I tried to send a test email,
and it did NOT work. The email bounced (I have the Ciphermail set up
to reject all emails which it cannot encrypt)
After that:
I changed the expiration date of both the public key _and_ the
signing key, to the same 10 years in the future, and saved.
I exported the new pubkey, reuploaded it to our PGP keyserver, and
reimported into Ciphermail
Now again Ciphermail shows the expiration date correctly (+10y)
AGAIN, When I searched for the new key while importing, the found key
was being shown as non-expiring. THis is definitely a bug, since all
keys now have an expiration date set.
With this key imported in CIphermail, I tried to send a test email,
and it DID work.
So I'm fine for now, because I got it working. But it seems the old
keys are being cached somewhere n Ciphermail, even after I delete
them, and the cached ones are being used to show info about them, but
not for signing...
Also, maybe that the expiration date shown is from the signing key
and not the general pubkey...
I hope this additional info is useful for you Feel free to
contact me for some more tests if you need.
Thanks again for a great piece of software.
Cheers
Jorge
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)
El 16/4/21 a las 10:38, Martijn Brinkers escribió:
> Hi Jorge,
>
> This looks like a bug. It is debatable what it means if there is a
> signature which says that a key is expired and there is another
> signature which says that the key never expires. That said, the new
> signature that says that the key never expires is newer so it
> should
> prevail. I will look into it. As a workaround you might try to
> create a
> new key signature with an expiration date far in the future.
>
> I'll look into the issue
>
> Kind regards,
>
> Martijn Brinkers
>

El 19/4/21 a las 15:46, Martijn Brinkers escribió:

Hi Jorge,

The CipherMail code that checks the key expiration skipped the User ID
packet if key expiration packet missing. It should however treat the
missing key expiration as "never expire". I have fixed this.

The other issue you reported, about the search result is not an
CipherMail issue but more a key server issue. The CipherMail gateway
repors the "raw" results from the key server. It looks like your key
server (https://pgpkeys.icij.org/) returns empty values for the
expiration date.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Mon, 2021-04-19 at 17:12 +0200, Jorge Gonzalez wrote:

Hi again Martijn,
thanks for fixing.
Regarding the search result: are you sure? This is what I get when
run gpg over my new public key just downloaded from pgpkeys.icij.org:
[jorgegv(a)endor Descargas]$ LANG=C gpg
D43C4D3C9AC70EBBE87330E9AA976E29616D42D4.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2016-03-29 [SCA] [expires: 2031-04-14]
      D43C4D3C9AC70EBBE87330E9AA976E29616D42D4
uid Jorge Gonzalez <jorge.gonzalez(a)daikon.es>
uid Jorge Gonzalez <jorgegv(a)icij.org>
sub rsa4096 2016-03-29 [E] [expires: 2031-04-14]
It seems all keys and subkeys have an expiration date, right?
???
J.
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)
El 19/4/21 a las 15:46, Martijn Brinkers escribió:
> Hi Jorge,
>
> The CipherMail code that checks the key expiration skipped the User
> ID
> packet if key expiration packet missing. It should however treat
> the
> missing key expiration as "never expire". I have fixed this.
>
> The other issue you reported, about the search result is not an
> CipherMail issue but more a key server issue. The CipherMail
> gateway
> repors the "raw" results from the key server. It looks like your
> key
> server (https://pgpkeys.icij.org/) returns empty values for the
> expiration date.
>
> Kind regards,
>
> Martijn Brinkers
>