[Top] [All Lists]

[openpgp] Clarification: calculation of key expiration time

2019-02-07 03:34:43
Hi all,

There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.

I believe it is currently calculated incorrectly and would appreciate a
second opinion.

The code[2] currently reads:

// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
        if sig.KeyLifetimeSecs == nil {
                return false
        expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
        return currentTime.After(expiry)

So they're using _signature creation time_ + key expiration time (seconds)

The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):  Key Expiration Time

   (4-octet time field)

   The validity period of the key.  This is the number of seconds after
   the key creation time that the key expires.  If this is not present
   or has a value of zero, the key never expires.  This is found only on
   a self-signature.

So it seems to me it's a bug, unless I'm missing something?

Kind regards,



Attachment: signature.asc
Description: OpenPGP digital signature

openpgp mailing list
<Prev in Thread] Current Thread [Next in Thread>