How to update expiration date on pgp 2.6.3i key?

Discussion:

(too old to reply)

Bob Daniels

2015-05-01 08:49:34 UTC

Hi this is the first time one of my keys on 2.6.3i expired. I can't figure
out a way to update the expiration date. I created another key with the same
userid but the app that calls PGP (Emacs mailcrypt) seems confused about
which key is which. I still need the old key to decrypt old mail and I need
to update the expiration date so I can still use the old one. Any idea what
to do in this situation?

Best Regards,

Bob Daniels

David W. Hodgins

2015-05-01 12:03:36 UTC

Permalink

Post by Bob Daniels
Hi this is the first time one of my keys on 2.6.3i expired. I can't figure
out a way to update the expiration date. I created another key with the same
userid but the app that calls PGP (Emacs mailcrypt) seems confused about
which key is which. I still need the old key to decrypt old mail and I need
to update the expiration date so I can still use the old one. Any idea what
to do in this situation?

The decryption of mail encrypted with an expired key should not be a
problem. I still use a key generated with pgp 1.0, but switched from
windows to linux about 10 years ago, and now use gpg instead (with
the same keyring).

I can't help with pgp now, but it should be in the documentation.
Worst case, copy the keyring to a linux system, then use gpg with
the --edit-key option, set the new expiry date, and then copy the
keyring back to the windows system.
https://www.gnupg.org/documentation/manpage.en.html

Just checked, and gpg is available for windows. https://gnupg.org/
Note that gpg and pgp can both work with the same keyrings, and
messages, etc.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Bob Daniels

2015-05-01 12:25:03 UTC

Permalink

Hi Dave,

Post by David W. Hodgins

Yeah the decrypt part works fine. It doesn't want to sign mail with my
expired key though which is kind of a bummer. My new key with the same
userid doesn't seem to be making life any simpler. I'll delete that one.

Fascinating you can use the same keyring with GPG. I did not know that.
Unfortunately my email pal uses an ancient version of PGP and we haven't
figured out how to make GPG spit out something his PGP can -eat so at this
point I'm using PGP 2.6.3i for him and GPG for everyone else.

Post by David W. Hodgins
I can't help with pgp now, but it should be in the documentation.
Worst case, copy the keyring to a linux system, then use gpg with
the --edit-key option, set the new expiry date, and then copy the
keyring back to the windows system.
https://www.gnupg.org/documentation/manpage.en.html

Ok I can try that. Thanks for the suggestion.

Post by David W. Hodgins
Note that gpg and pgp can both work with the same keyrings, and
messages, etc.

Amazing and kudos to whoever didn't NIH this one!

Bob

Guy

2015-05-01 12:47:36 UTC

Permalink

Post by Bob Daniels

Post by David W. Hodgins

Post by Bob Daniels
Hi this is the first time one of my keys on 2.6.3i expired. I
can't figure out a way to update the expiration date.

Worst case, copy the keyring to a linux system, then use gpg with
the --edit-key option, set the new expiry date, and then copy the
keyring back to the windows system.
https://www.gnupg.org/documentation/manpage.en.html

Ok I can try that. Thanks for the suggestion.

gpg: You can't change the expiration date of a v3 key

David W. Hodgins

2015-05-02 02:43:11 UTC

Permalink

Post by Guy
gpg: You can't change the expiration date of a v3 key

Oops. Sorry about that. I've never set an expiry date on any of my
keys, so hadn't actually tried changing one on one of my older keys.

I'm not sure if it's the lack of idea support (see my reply to Bob),
or if there is some other reason for the restriction.

It should be possible with a hex editor, but that requires learning
the format of the keyring, which is not simple. :-)

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Guy

2015-05-02 03:14:40 UTC

Permalink

It's support for the idea algorithm that's missing, by default,
due to a patent issue. That patent has expired, so it's ok to add
it back in. See
https://bugs.mageia.org/show_bug.cgi?id=6910#c0

GPG v1

Noteworthy changes in version 1.4.13 (2012-12-20)
-------------------------------------------------

* Add support for the old cipher algorithm IDEA.

David W. Hodgins

2015-05-02 04:04:26 UTC

Permalink

Post by Guy

It's support for the idea algorithm that's missing, by default,
due to a patent issue. That patent has expired, so it's ok to add
it back in. See
https://bugs.mageia.org/show_bug.cgi?id=6910#c0

GPG v1
Noteworthy changes in version 1.4.13 (2012-12-20)
-------------------------------------------------
* Add support for the old cipher algorithm IDEA.

I should have said enabled, rather then supported. The idea module
still has to be installed, and it's use configured for each user.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Guy

2015-05-02 14:59:52 UTC

Permalink

Post by David W. Hodgins
I should have said enabled, rather then supported. The idea module
still has to be installed, and it's use configured for each user

Cipher IDEA is included in GPG1 since version 1.4.13
I do not know about GPG2, I do not build/use that branch.

$ echo:foo|gpg -c --cipher-algo S1|gpg -d -v
gpg: IDEA encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name=''
foo
gpg: WARNING: message was not integrity protected

$ grep -lr --include *c IDEA *
gnupg-1.4.19/cipher/cipher.c
gnupg-1.4.19/cipher/idea.c
gnupg-1.4.19/configure.ac
gnupg-1.4.19/g10/keygen.c
gnupg-1.4.19/g10/pkclist.c
gnupg-1.4.19/g10/encode.c
gnupg-1.4.19/g10/pubkey-enc.c
gnupg-1.4.19/g10/mainproc.c
gnupg-1.4.19/g10/gpg.c
gnupg-1.4.19/g10/seckey-cert.c
gnupg-1.4.19/gnupg.spec

$

David E. Ross

2015-05-02 15:07:03 UTC

Permalink

Instead of trying to change an existing key-pair -- which might
invalidate it for some uses -- just generate a new key-pair.

However, keep the expired key-pair. An expired private key can still be
used to decrypt something that used its associated public key to encrypt
something before the expiration. Also, the expired public key can still
be used to verify a digital signature generated by its associated
private key before the expiration.

--
David E. Ross

Why do we tolerate political leaders who
spend more time belittling hungry children
than they do trying to fix the problem of
hunger? <http://mazon.org/>

Bob Daniels

2015-05-04 16:20:04 UTC

Permalink

Hi,

Post by David E. Ross

Instead of trying to change an existing key-pair -- which might
invalidate it for some uses -- just generate a new key-pair.

I did that before posting but the app I use to deal with PGP seems to get
confused and no longer asks me for my passphrase- which is the same as for
the old, expired key- and no longer works. This has become a real mess.

Post by David E. Ross
However, keep the expired key-pair. An expired private key can still be
used to decrypt something that used its associated public key to encrypt
something before the expiration. Also, the expired public key can still
be used to verify a digital signature generated by its associated
private key before the expiration.

Thanks. I realize that. I'm not sure at the time this stuff was designed
everybody understood or agreed what to do for expired keys so even though
PGP command line might work- and it might not, I haven't tested it- the apps
that call PGP don't seem to work well with expired keys.

Bob

Genesis PGP

2015-09-13 02:38:39 UTC

Permalink

As per my knowledge, expiration date of PGP keys can be updated using :

# gpg -edit-key <user-id>
command> expire
...
in the command line, but before the expiration of the PGP key. You can decrypt old emails/documents with expired key, but cannot send new encrypted emails/documents.

Hope this helps.

Thanks,
Genesis
http://computersecuritypgp.blogspot.com/