[Top] [All Lists]

Re: [openpgp] Clarification: calculation of key expiration time

2019-02-08 14:50:55
On Thu 2019-02-07 09:34:13 +0000, Paul Fawkesley wrote:

There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.

I believe it is currently calculated incorrectly and would appreciate a
second opinion.

The code[2] currently reads:

// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
      if sig.KeyLifetimeSecs == nil {
              return false
      expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
      return currentTime.After(expiry)

So they're using _signature creation time_ + key expiration time (seconds)

The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):  Key Expiration Time

   (4-octet time field)

   The validity period of the key.  This is the number of seconds after
   the key creation time that the key expires.  If this is not present
   or has a value of zero, the key never expires.  This is found only on
   a self-signature.

So it seems to me it's a bug, unless I'm missing something?

I agree with you that this is a bug in Golang's openpgp library.  I've
followed up on accordingly.


Attachment: signature.asc
Description: PGP signature

openpgp mailing list
<Prev in Thread] Current Thread [Next in Thread>