15 Apr
2021
15 Apr
'21
10:23 a.m.
Hi listers,
I'm having trouble updating my expired PGP key in a CIphermail instance.
Here is what I did:
* My public key was expired, so I generated a new public key with no
expiration date. I tested it locally in Thunderbird: I deleted my
old public key; I imported the new one and tried to send some
encrypted emails. All fine.
* I uploaded my PGP key to our own PGP key server
(https://pgpkeys.icij.org) and made sure the new public key was in
place: I downloaded and checked the downloaded one, it was the
correct one without the expiration date.
* I logged in to our CIphermail instance, went to PGP area, and
searched for my old, expired key. It showed as expired, and I
deleted it. I verified that my key was no longer available in
Ciphermail.
* I went to the "Search keys" area, to download again my new key from
our PGP keyserver into CIphermail (our CIphermail is configured with
just one PGP keyserver: our private one).
* I located my new key, it showed the right one: recently created and
no expiration date. I imported it into Ciphermail.
* When I go again to the main PGP keys and search for my key, it shows
again my key as expired.
* If I click on "Download Public keys" link, the downloaded public key
is the _good_ one, without an expiration date.
So it seems I can't update my expired PGP key. It looks like Ciphermail
is somehow keeping my expiration date somewhere, and ignoring the new
"non-expiration" from the newly downloaded key, even if I delete the old
key and reimport the new one.
Any ideas?
J.
--
*Jorge Gonzalez Villalonga*
Systems Engineer
*The International Consortium of Investigative Journalists*
<https://www.icij.org>
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United States
Phone: +34 672 173 200 (Madrid, Spain)
16 Apr
16 Apr
10:38 a.m.
Hi Jorge,
This looks like a bug. It is debatable what it means if there is a
signature which says that a key is expired and there is another
signature which says that the key never expires. That said, the new
signature that says that the key never expires is newer so it should
prevail. I will look into it. As a workaround you might try to create a
new key signature with an expiration date far in the future.
I'll look into the issue
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
On Thu, 2021-04-15 at 10:23 +0200, Jorge Gonzalez via Users wrote:
Hi listers,
I'm having trouble updating my expired PGP key in a CIphermail
instance. Here is what I did:
My public key was expired, so I generated a new public key with no
expiration date. I tested it locally in Thunderbird: I deleted my old
public key; I imported the new one and tried to send some encrypted
emails. All fine.
I uploaded my PGP key to our own PGP key server (
https://pgpkeys.icij.org) and made sure the new public key was in
place: I downloaded and checked the downloaded one, it was the
correct one without the expiration date.
I logged in to our CIphermail instance, went to PGP area, and
searched for my old, expired key. It showed as expired, and I deleted
it. I verified that my key was no longer available in Ciphermail.
I went to the "Search keys" area, to download again my new key from
our PGP keyserver into CIphermail (our CIphermail is configured with
just one PGP keyserver: our private one).
I located my new key, it showed the right one: recently created and
no expiration date. I imported it into Ciphermail.
When I go again to the main PGP keys and search for my key, it shows
again my key as expired.
If I click on "Download Public keys" link, the downloaded public key
is the _good_ one, without an expiration date.
So it seems I can't update my expired PGP key. It looks like
Ciphermail is somehow keeping my expiration date somewhere, and
ignoring the new "non-expiration" from the newly downloaded key, even
if I delete the old key and reimport the new one.
Any ideas?
J.
--
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)
5:48 p.m.
Hi Martijn,
thanks, this did the trick for the moment.
Now I have spotted some more glitches about this:
* At first, I changed the expiration date of my public key to 10 years
in the future, and saved. I did _not_ change the expiration date of
the SSB (signing key), which was still non-expiring.
* I exported the pub key (which includes both pubkeys? confirm...),
reuploaded it to our PGP keyserver, and reimported it into Ciphermail.
* Now Ciphermail showed the expiration date correctly, 10 years in the
future.
* When I searched for the new key while importing, though, the found
key was being shown as non-expiring.
* With this key imported in CIphermail, I tried to send a test email,
and it did NOT work. The email bounced (I have the Ciphermail set up
to reject all emails which it cannot encrypt)
After that:
* I changed the expiration date of both the public key _and_ the
signing key, to the same 10 years in the future, and saved.
* I exported the new pubkey, reuploaded it to our PGP keyserver, and
reimported into Ciphermail
* Now again Ciphermail shows the expiration date correctly (+10y)
* AGAIN, When I searched for the new key while importing, the found
key was being shown as non-expiring. THis is definitely a bug, since
all keys now have an expiration date set.
* With this key imported in CIphermail, I tried to send a test email,
and it DID work.
So I'm fine for now, because I got it working. But it seems the old keys
are being cached somewhere n Ciphermail, even after I delete them, and
the cached ones are being used to show info about them, but not for
signing...
Also, maybe that the expiration date shown is from the signing key and
not the general pubkey...
I hope this additional info is useful for you :-) Feel free to contact
me for some more tests if you need.
Thanks again for a great piece of software.
Cheers
Jorge
*Jorge Gonzalez Villalonga*
Systems Engineer
*The International Consortium of Investigative Journalists*
<https://www.icij.org>
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United States
Phone: +34 672 173 200 (Madrid, Spain)
El 16/4/21 a las 10:38, Martijn Brinkers escribió:
Hi Jorge,
This looks like a bug. It is debatable what it means if there is a
signature which says that a key is expired and there is another
signature which says that the key never expires. That said, the new
signature that says that the key never expires is newer so it should
prevail. I will look into it. As a workaround you might try to create a
new key signature with an expiration date far in the future.
I'll look into the issue
Kind regards,
Martijn Brinkers
19 Apr
19 Apr
3:46 p.m.
Hi Jorge,
The CipherMail code that checks the key expiration skipped the User ID
packet if key expiration packet missing. It should however treat the
missing key expiration as "never expire". I have fixed this.
The other issue you reported, about the search result is not an
CipherMail issue but more a key server issue. The CipherMail gateway
repors the "raw" results from the key server. It looks like your key
server (https://pgpkeys.icij.org/) returns empty values for the
expiration date.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
On Fri, 2021-04-16 at 17:48 +0200, Jorge Gonzalez wrote:
Hi Martijn,
thanks, this did the trick for the moment.
Now I have spotted some more glitches about this:
At first, I changed the expiration date of my public key to 10 years
in the future, and saved. I did _not_ change the expiration date of
the SSB (signing key), which was still non-expiring.
I exported the pub key (which includes both pubkeys? confirm...),
reuploaded it to our PGP keyserver, and reimported it into
Ciphermail.
Now Ciphermail showed the expiration date correctly, 10 years in the
future.
When I searched for the new key while importing, though, the found
key was being shown as non-expiring.
With this key imported in CIphermail, I tried to send a test email,
and it did NOT work. The email bounced (I have the Ciphermail set up
to reject all emails which it cannot encrypt)
After that:
I changed the expiration date of both the public key _and_ the
signing key, to the same 10 years in the future, and saved.
I exported the new pubkey, reuploaded it to our PGP keyserver, and
reimported into Ciphermail
Now again Ciphermail shows the expiration date correctly (+10y)
AGAIN, When I searched for the new key while importing, the found key
was being shown as non-expiring. THis is definitely a bug, since all
keys now have an expiration date set.
With this key imported in CIphermail, I tried to send a test email,
and it DID work.
So I'm fine for now, because I got it working. But it seems the old
keys are being cached somewhere n Ciphermail, even after I delete
them, and the cached ones are being used to show info about them, but
not for signing...
Also, maybe that the expiration date shown is from the signing key
and not the general pubkey...
I hope this additional info is useful for you :-) Feel free to
contact me for some more tests if you need.
Thanks again for a great piece of software.
Cheers
Jorge
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)
El 16/4/21 a las 10:38, Martijn Brinkers escribió:
> Hi Jorge,
>
> This looks like a bug. It is debatable what it means if there is a
> signature which says that a key is expired and there is another
> signature which says that the key never expires. That said, the new
> signature that says that the key never expires is newer so it
> should
> prevail. I will look into it. As a workaround you might try to
> create a
> new key signature with an expiration date far in the future.
>
> I'll look into the issue
>
> Kind regards,
>
> Martijn Brinkers
>
5:12 p.m.
Hi again Martijn,
thanks for fixing.
Regarding the search result: are you sure? This is what I get when run
gpg over my new public key just downloaded from pgpkeys.icij.org:
*[jorgegv@endor Descargas]$ LANG=C gpg
D43C4D3C9AC70EBBE87330E9AA976E29616D42D4.asc **
**gpg: WARNING: no command supplied. Trying to guess what you mean ...**
**pub rsa4096 2016-03-29 [SCA] [expires: 2031-04-14]**
** D43C4D3C9AC70EBBE87330E9AA976E29616D42D4**
**uid Jorge Gonzalez <jorge.gonzalez(a)daikon.es>**
**uid Jorge Gonzalez <jorgegv(a)icij.org>**
**sub rsa4096 2016-03-29 [E] [expires: 2031-04-14]*
It seems all keys and subkeys have an expiration date, right?
???
J.
*Jorge Gonzalez Villalonga*
Systems Engineer
*The International Consortium of Investigative Journalists*
<https://www.icij.org>
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United States
Phone: +34 672 173 200 (Madrid, Spain)
El 19/4/21 a las 15:46, Martijn Brinkers escribió:
Hi Jorge,
The CipherMail code that checks the key expiration skipped the User ID
packet if key expiration packet missing. It should however treat the
missing key expiration as "never expire". I have fixed this.
The other issue you reported, about the search result is not an
CipherMail issue but more a key server issue. The CipherMail gateway
repors the "raw" results from the key server. It looks like your key
server (https://pgpkeys.icij.org/) returns empty values for the
expiration date.
Kind regards,
Martijn Brinkers
5:30 p.m.
What I mean is that the CipherMail search page literally shows what is
returned by the key server without importing the key
So if you lookup your key on pgpkeys.icij.org with your browser
https://pgpkeys.icij.org/pks/lookup/?search=jorgegv%40icij.org&op=index…
You get the result
info:1:1
pub:D43C4D3C9AC70EBBE87330E9AA976E29616D42D4:1:4096:1618586394::
uid:Jorge%20Gonzalez%20%3Cjorge.gonzalez@daikon.es%3E:1618586394::
uid:Jorge%20Gonzalez%20%3Cjorgegv@icij.org%3E:1618586394::
The lines list the date the signature was created (1618586394) but lack
the expiration time field (::)
If you do a similar lookup on another key server (which does not use
sequoia-pgp) it reports the expiration date:
http://pgp.surfnet.nl:11371/pks/lookup?search=jorgegv%40icij.org&op=ind…
info:1:1
pub:D43C4D3C9AC70EBBE87330E9AA976E29616D42D4:1:4096:1459236762:16169167
62:
uid:Jorge Gonzalez <jorgegv@icij.org>:1489433573::
uid:Jorge Gonzalez <jorge.gonzalez@daikon.es>:1459236762::
uat::::
Note: that the expiration date on this key server is still the old
expiration date (1616916762 which is Sun Mar 28 2021 07:32:42 GMT+0000)
The key server reports results in the following format:
pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
See https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
It looks like sequoia-pgp does not include the expiration date
One you import the key, CipherMail will report the correct expiration
date.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
On Mon, 2021-04-19 at 17:12 +0200, Jorge Gonzalez wrote:
Hi again Martijn,
thanks for fixing.
Regarding the search result: are you sure? This is what I get when
run gpg over my new public key just downloaded from pgpkeys.icij.org:
[jorgegv@endor Descargas]$ LANG=C gpg
D43C4D3C9AC70EBBE87330E9AA976E29616D42D4.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2016-03-29 [SCA] [expires: 2031-04-14]
D43C4D3C9AC70EBBE87330E9AA976E29616D42D4
uid Jorge Gonzalez <jorge.gonzalez(a)daikon.es>
uid Jorge Gonzalez <jorgegv(a)icij.org>
sub rsa4096 2016-03-29 [E] [expires: 2031-04-14]
It seems all keys and subkeys have an expiration date, right?
???
J.
Jorge Gonzalez Villalonga
Systems Engineer
The International Consortium of Investigative Journalists
1710 Rhode Island Ave NW, 11th floor | Washington DC 20036 | United
States
Phone: +34 672 173 200 (Madrid, Spain)
El 19/4/21 a las 15:46, Martijn Brinkers escribió:
> Hi Jorge,
>
> The CipherMail code that checks the key expiration skipped the User
> ID
> packet if key expiration packet missing. It should however treat
> the
> missing key expiration as "never expire". I have fixed this.
>
> The other issue you reported, about the search result is not an
> CipherMail issue but more a key server issue. The CipherMail
> gateway
> repors the "raw" results from the key server. It looks like your
> key
> server (https://pgpkeys.icij.org/) returns empty values for the
> expiration date.
>
> Kind regards,
>
> Martijn Brinkers
>
527
days inactive
531
days old
5 comments
2 participants
participants (2)
-
Jorge Gonzalez -
Martijn Brinkers