Expiry date of GPG key is reported wrong

[tastytea]

• Gitea version (or commit ref): 1.7.6
• Git version:
• Operating system:
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

I added a GPG key that expires 2020-04-05.

% LC_ALL=C gpg --list-keys 59346E0EA35C67E5
pub   rsa4096/59346E0EA35C67E5 2017-06-17 [SC] [expires: 2020-04-05]
      Key fingerprint = D5B4 C43B 48A8 79F6 3529  36E6 5934 6E0E A35C 67E5
uid                 [ultimate] tastytea <tastyteaXtastytea.de>
uid                 [ultimate] gentooXtastytea.de
sub   rsa4096/CA258ACA1C76DAA7 2017-06-17 [E] [expires: 2020-04-05]
sub   dsa3072/CFC39497F1B26E07 2018-07-16 [S] [expires: 2020-04-05]

Gitea claims that it is valid until 2022-01-23.

Screenshots

[lafriks]

Could you provide public key so we could reproduce this?

[tastytea]

@lafriks https://tastytea.de/tastytea.asc

[sapk]

I found a signature of a subkey that should be valid until 2022 but maybe we should have ignored them as the primary key that sign expire before.

    subpacketType:"Signature Creation Time (0x2)"
    creationTime:"Sat Apr 06 2019 18:50:56 GMT+0200 (heure d’été d’Europe centrale)"
    length:"5"
    subpacketType:"Key Expiration Time (0x9)"
    data:"0544e755"

The expire time is detected here but should be based on primary at first glance.

key details

[sapk]

You seems to have re-sign your key the Sat Apr 06 2019 18:36:32 GMT+0200 for nearly 2.8 years so the date we display should be good. Maybe you re-sign this key on another computer and didn't re-import it re-sign in your other ?

Based on :

Signature Packet (0x2)

  cipherTypeByte: "137"
  length: "599"
  version: "4"
  signatureType: "Positive certification of a User ID and Public-Key packet. (0x13)"
  publicKeyAlgorithm: "RSA (Encrypt or Sign) (0x1)"
  hashAlgorithm: "SHA256 (0x8)"
  hashedDataCount: "65"
  subpackets:
    length:"2"
    subpacketType:"Key Flags (0x1b)"
    keyFlags:"certify (0x1),sign (0x2)"
    length:"5"
    subpacketType:"Key Expiration Time (0x9)"
    data:"03c39105"
    length:"5"
    subpacketType:"Preferred Symmetric Algorithms (0xb)"
    preferredSymmetricAlgorithms:"AES with 256-bit key (0x9),AES with 192-bit key (0x8),AES with 128-bit key (0x7),TripleDES (DES-EDE, 168 bit key derived from 192) (0x2)"
    length:"6"
    subpacketType:"Preferred Hash Algorithms (0x15)"
    preferredHashAlgorithms:"SHA256 (0x8),SHA384 (0x9),SHA512 (0xa),SHA224 (0xb),SHA1 (0x2)"
    length:"4"
    subpacketType:"Preferred Compression Algorithms (0x16)"
    preferredCompressionAlgorithms:"ZLIB (0x2),BZip2 (0x3),ZIP (0x1)"
    length:"2"
    subpacketType:"Features (0x1e)"
    keyFeatures:"Modification detection (0x1)"
    length:"2"
    subpacketType:"Key Server Preferences (0x17)"
    keyServerPreferences:"No-modify (0x80)"
    length:"22"
    subpacketType:"undefined (0x21)"
    data:"04d5b4c43b48a879f6352936e659346e0ea35c67e5"
    length:"5"
    subpacketType:"Signature Creation Time (0x2)"
    creationTime:"Sat Apr 06 2019 18:36:32 GMT+0200 (heure d’été d’Europe centrale)"
    length:"2"
    subpacketType:"Primary User ID (0x19)"
    data:"01"
  unhashedDataCount: "10"
  subpackets:
    length:"9"
    subpacketType:"Issuer (0x10)"
    keyId:"59346e0ea35c67e5"
  signedHashValuePrefix: "75c1"

[sapk]

I don't know why gpg totally ignore some packets and if we should do the same.
Full dump from gpg --list-packets:

gpg --list-packets tastytea.asc 
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
	version 4, algo 1, created 1497703707, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 59346E0EA35C67E5
# off=528 ctb=b4 tag=13 hlen=2 plen=31
:user ID packet: "tastytea <tastytea@tastytea.de>"
# off=561 ctb=89 tag=2 hlen=3 plen=599
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554569389, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 13 14
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 11 2)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	hashed subpkt 25 len 1 (primary user ID)
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 9 len 4 (key expires after 2y293d4h1m)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4094 bits]
# off=1163 ctb=89 tag=2 hlen=3 plen=596
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1497703707, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 4a 1a
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2017-06-17)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 9 len 4 (key expires after 2y0d21h11m)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 11 2)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4095 bits]
# off=1762 ctb=89 tag=2 hlen=3 plen=599
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554568592, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 75 c1
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 9 len 4 (key expires after 2y0d21h11m)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 11 2)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 25 len 1 (primary user ID)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4094 bits]
# off=2364 ctb=b4 tag=13 hlen=2 plen=18
:user ID packet: "gentoo@tastytea.de"
# off=2384 ctb=89 tag=2 hlen=3 plen=596
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554569389, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 58 64
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 9 len 4 (key expires after 2y293d4h1m)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4094 bits]
# off=2983 ctb=89 tag=2 hlen=3 plen=596
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554568394, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 6b 30
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 9 len 4 (key expires after 2y0d21h11m)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4094 bits]
# off=3582 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
	version 4, algo 1, created 1497703707, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: CA258ACA1C76DAA7
# off=4110 ctb=89 tag=2 hlen=3 plen=572
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554569456, md5len 0, sigclass 0x18
	digest algo 8, begin of digest 7e 1e
	hashed subpkt 27 len 1 (key flags: 0C)
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 9 len 4 (key expires after 2y293d4h2m)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4093 bits]
# off=4685 ctb=b9 tag=14 hlen=3 plen=1198
:public sub key packet:
	version 4, algo 17, created 1531759626, expires 0
	pkey[0]: [3072 bits]
	pkey[1]: [256 bits]
	pkey[2]: [3071 bits]
	pkey[3]: [3072 bits]
	keyid: CFC39497F1B26E07
# off=5886 ctb=89 tag=2 hlen=3 plen=691
:signature packet: algo 1, keyid 59346E0EA35C67E5
	version 4, created 1554569456, md5len 0, sigclass 0x18
	digest algo 8, begin of digest 60 6f
	hashed subpkt 27 len 1 (key flags: 02)
	hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
	hashed subpkt 2 len 4 (sig created 2019-04-06)
	hashed subpkt 9 len 4 (key expires after 1y264d0h3m)
	subpkt 32 len 117 (signature: v4, class 0x19, algo 17, digest algo 8)
	subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
	data: [4096 bits]

[tastytea]

On 2019-04-06 I added the email address gentoo@tastytea.de and changed the expiration dates on all keys. It seems since that day every keyid has 2 signatures?

I have cleaned the key now (gpg --edit-key, then clean) and now every keyid has only one signature, the one with the creation date 2019-04-06. But gpg still says that it expires 2020-04-05.

pub   rsa4096/59346E0EA35C67E5 2017-06-17 [SC] [expires: 2020-04-05]
      Key fingerprint = D5B4 C43B 48A8 79F6 3529  36E6 5934 6E0E A35C 67E5
uid                 [ultimate] tastytea <tastytea@tastytea.de>
uid                 [ultimate] gentoo@tastytea.de
sub   rsa4096/CA258ACA1C76DAA7 2017-06-17 [E] [expires: 2020-04-05]
sub   dsa3072/CFC39497F1B26E07 2018-07-16 [S] [expires: 2020-04-05]

% LC_ALL=C gpg --list-packets tastytea.asc
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
        version 4, algo 1, created 1497703707, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: 59346E0EA35C67E5
# off=528 ctb=b4 tag=13 hlen=2 plen=31
:user ID packet: "tastytea <tastytea@tastytea.de>"
# off=561 ctb=89 tag=2 hlen=3 plen=599
:signature packet: algo 1, keyid 59346E0EA35C67E5
        version 4, created 1554569389, md5len 0, sigclass 0x13
        digest algo 8, begin of digest 13 14
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        hashed subpkt 25 len 1 (primary user ID)
        hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
        hashed subpkt 2 len 4 (sig created 2019-04-06)
        hashed subpkt 9 len 4 (key expires after 2y293d4h1m)
        subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
        data: [4094 bits]
# off=1163 ctb=b4 tag=13 hlen=2 plen=18
:user ID packet: "gentoo@tastytea.de"
# off=1183 ctb=89 tag=2 hlen=3 plen=596
:signature packet: algo 1, keyid 59346E0EA35C67E5
        version 4, created 1554569389, md5len 0, sigclass 0x13
        digest algo 8, begin of digest 58 64
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
        hashed subpkt 2 len 4 (sig created 2019-04-06)
        hashed subpkt 9 len 4 (key expires after 2y293d4h1m)
        subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
        data: [4094 bits]
# off=1782 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
        version 4, algo 1, created 1497703707, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: CA258ACA1C76DAA7
# off=2310 ctb=89 tag=2 hlen=3 plen=572
:signature packet: algo 1, keyid 59346E0EA35C67E5
        version 4, created 1554569456, md5len 0, sigclass 0x18
        digest algo 8, begin of digest 7e 1e
        hashed subpkt 27 len 1 (key flags: 0C)
        hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
        hashed subpkt 2 len 4 (sig created 2019-04-06)
        hashed subpkt 9 len 4 (key expires after 2y293d4h2m)
        subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
        data: [4093 bits]
# off=2885 ctb=b9 tag=14 hlen=3 plen=1198
:public sub key packet:
        version 4, algo 17, created 1531759626, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [256 bits]
        pkey[2]: [3071 bits]
        pkey[3]: [3072 bits]
        keyid: CFC39497F1B26E07
# off=4086 ctb=89 tag=2 hlen=3 plen=691
:signature packet: algo 1, keyid 59346E0EA35C67E5
        version 4, created 1554569456, md5len 0, sigclass 0x18
        digest algo 8, begin of digest 60 6f
        hashed subpkt 27 len 1 (key flags: 02)
        hashed subpkt 33 len 21 (issuer fpr v4 D5B4C43B48A879F6352936E659346E0EA35C67E5)
        hashed subpkt 2 len 4 (sig created 2019-04-06)
        hashed subpkt 9 len 4 (key expires after 1y264d0h3m)
        subpkt 32 len 117 (signature: v4, class 0x19, algo 17, digest algo 8)
        subpkt 16 len 8 (issuer key ID 59346E0EA35C67E5)
        data: [4096 bits]

I don't now much about GPG, but it seems that expires after refers to the creation date of the key (1497703707), not the creation date of the signature?

New public key, after clean: tastytea.asc.txt

[sapk]

@tastytea you are right https://tools.ietf.org/html/rfc4880#section-5.2.3.6

I will fix the mistake.

[sapk]

I will add test to the PR. You may need to re-import the key as the expiration time is calculated at import.