justinsteven · April 29, 2020 22:27
diff --git a/gpg key expiration test b/gpg key expiration test
 # Generate a key valid from 2018-04-01 to 2020-03-30

 We time travel using `faketime`

 ```
 % faketime 2018-04-01 gpg --full-gen-key
 gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

 Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
 Your selection? 1
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (3072) 2048
 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
 Key is valid for? (0) 2y
 Key expires at Tue 31 Mar 2020 00:00:11 AEST
 Is this correct? (y/N) y

 GnuPG needs to construct a user ID to identify your key.

 Real name: Test Key
 Email address: test@localhost
 Comment:
 You selected this USER-ID:
    "Test Key <test@localhost>"

 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 gpg: key 0xF72D7478A432973B marked as ultimately trusted
 gpg: directory '/home/justin/.gnupg/openpgp-revocs.d' created
 gpg: revocation certificate stored as '/home/justin/.gnupg/openpgp-revocs.d/55FA4E85E6896861CEA2E402F72D7478A432973B.rev'
 public and secret key created and signed.

 pub   rsa2048/0xF72D7478A432973B 2018-03-31 [SC] [expires: 2020-03-30]
      55FA4E85E6896861CEA2E402F72D7478A432973B
      Key fingerprint = 55FA 4E85 E689 6861 CEA2  E402 F72D 7478 A432 973B
 uid                              Test Key <test@localhost>
 sub   rsa2048/0x408D8AB45197C560 2018-03-31 [E] [expires: 2020-03-30]
 ```

 # Export the key

 ```
 % gpg --armor --export 0xF72D7478A432973B
 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQENBFq/lHkBCADCgnDRMTrR26RATymwW9WzbhKAx1WEZYktVbtBO9cyI9fNSkLC
 HE3SG2PUWbPxKugAWSwk07LPfvqlL3LFd/qwF+paUJNEGquk+QTnyv7CA6F3Xh8X
 iWFmaDL/zUhXYD/G94lsv+NeY8UT2lQu8Vwh3cqQXszr71wOgbmWtbb96R+oAhf9
 rd790kFydf8Tk+6Kw63n3LB1nzHNPt5rrAkEOI93nf4skaLEwT6TUP2gEimuoWbv
 Puf+fFsrr86ts0jHYhYOm9LSRZMMnmhorZuQc2KlctTz7W+/ut+2YkLiegPWFRMr
 hSxHVyCcU/eZ0PPWh+7iTbt2MrgFZQ7j83GPABEBAAG0GVRlc3QgS2V5IDx0ZXN0
 QGxvY2FsaG9zdD6JAVQEEwEKAD4WIQRV+k6F5oloYc6i5AL3LXR4pDKXOwUCWr+U
 eQIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRD3LXR4pDKXO+d/
 B/9BibJyqZcPrI4eSqLO+Y9YkKWQ77XubCT4F9yPTsiXgiMpVFDSVehNVjsiN99d
 P8C2rncID04ylfyAqYGyKmkyCnRfSlNCg29+RUCraEPcCM8TsguCbFlrDI/AhFp5
 ZzMpQlacdfzaBhvtWxuimOPrV3DCku7eg4IYHb6XXLDWRehPfJxEU2WRdLrE3kiu
 PFNiw0d4By2llFD/I1In3jR08gkE5QHl2Kbflui1fh+Vib4CQ8RdFCO8aRKguKTy
 +CEP5KVada20zyMMzZg3rWP1YKhwalY3P4+Lxf0lJYbavXpYQNoSo4Dtu5vVpefo
 aENcLUJdpXX8H/B7fnE5MdjbuQENBFq/lHkBCADFFqDTHMxLoeO29M1POGs90S32
 2jCbpsV86u+bWz8J51cw/tCKmIOCr5Z5q8tNT5Hg4bfRhblpAqC3CWty3SBcO003
 BITnWKA9VzsKc5oXztUpXUuiTrebJsHsrmQwwpwlDKS65v6EywTwuTT+Lcqjdj4w
 cNE211XPoj4qWbdpBkSuDwVzJ0vcgPDw267dUsfQ9kPz3rFdNMES38LqLoRE+4cw
 55gNaGcFwAxNAq1p3OLOak17IbMiTkwcm/DVER1vGCwpo7XNNwGK0pDHEblSitqE
 hSub5IExjYClMxjNRBHPwAZEpXP9n0FyD6evSALYuivbbV/BJ6HQeCk8/QFnABEB
 AAGJATwEGAEKACYWIQRV+k6F5oloYc6i5AL3LXR4pDKXOwUCWr+UeQIbDAUJA8Jn
 AAAKCRD3LXR4pDKXO3AzB/9xDi86/JS+XKcHqy7gkkycalJowUyX9NIzXPvAkjkr
 1sOC+3xQcmaYnGsEFUH8iwJDaiwue6c/x/eMFXUcDLpWSR/Nql0ztkLPqsnOjtzl
 UQhQ5P69hxCqsRgy9iVFhRotaOLKS/IV8/KEOfnsx7U9m+R5Ax/BwKo6IL9n4QN5
 h2HRyRt86XPB+Wnu+E3EXxM/8EE/OfhU7SLVwwG7NgXz+zRXO7glUzdVfS1qk/iR
 bs6Eh1JorSKNsaQfmxXBBrh8HqXF0xP8bqr8FGLscHkvlv2W9Vj8Wq/RWH7Ag7Ed
 EQUm8jvCJqOBFBzRJp5rb3KCYyEhQvQR1xF/SBgvyiZB
 =n6co
 -----END PGP PUBLIC KEY BLOCK-----
 ```

 # Sign a message

 We time travel to within the key validity peiod using `faketime`. Otherwise, gpg complains and refuses to use an expired key to do the signing.

 ```
 % echo "My message" | faketime 2018-04-02 gpg --clearsign -u 0xF72D7478A432973B
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 My message
 -----BEGIN PGP SIGNATURE-----

 iQEzBAEBCgAdFiEEVfpOheaJaGHOouQC9y10eKQylzsFAlrA5eAACgkQ9y10eKQy
 lztvBQf+Ptxx3oiDnScJFClec2WNuYrDL3H4Tv63OIEeN8tiJItpCSSQYB2oX6MZ
 nSegd6l5MHiBFEJ+lFi4JCqfUjoav/XhL9A94meCE9xI31B1Fo1yTWYob+8xLWZN
 n0Tx0AtM0k+7mFl902r0Cu+e5DOxalTReVQp5IHqxK4u1g7KQjIGWYM+WTb96H/Z
 RDapskb8T6zpN0D4IPZWPiUrLIKw+x3qSr8sNLGJMsKNRIyRLwYrSIDdVZIsmDzH
 wStwZkAEWP1NNGVi8PXK2SD/lLmGhhMhJIj93ld8IL3fboQ28fOGys1o/Dm1RT/3
 dfB3K1sM3dqxDa3WrJdk+pcZrcu4gQ==
 =dYoC
 -----END PGP SIGNATURE-----
 ```

 # Confirm the message doesn't validate outside of the key validity period

 ```
 % cat <<EOF | gpg --verify
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 My message
 -----BEGIN PGP SIGNATURE-----

 iQEzBAEBCgAdFiEEVfpOheaJaGHOouQC9y10eKQylzsFAlrA5eAACgkQ9y10eKQy
 lztvBQf+Ptxx3oiDnScJFClec2WNuYrDL3H4Tv63OIEeN8tiJItpCSSQYB2oX6MZ
 nSegd6l5MHiBFEJ+lFi4JCqfUjoav/XhL9A94meCE9xI31B1Fo1yTWYob+8xLWZN
 n0Tx0AtM0k+7mFl902r0Cu+e5DOxalTReVQp5IHqxK4u1g7KQjIGWYM+WTb96H/Z
 RDapskb8T6zpN0D4IPZWPiUrLIKw+x3qSr8sNLGJMsKNRIyRLwYrSIDdVZIsmDzH
 wStwZkAEWP1NNGVi8PXK2SD/lLmGhhMhJIj93ld8IL3fboQ28fOGys1o/Dm1RT/3
 dfB3K1sM3dqxDa3WrJdk+pcZrcu4gQ==
 =dYoC
 -----END PGP SIGNATURE-----

 EOF

 gpg: Signature made Mon 02 Apr 2018 00:00:00 AEST
 gpg:                using RSA key 55FA4E85E6896861CEA2E402F72D7478A432973B
 gpg: Good signature from "Test Key <test@localhost>" [expired]
 gpg: Note: This key has expired!
 Primary key fingerprint: 55FA 4E85 E689 6861 CEA2  E402 F72D 7478 A432 973B
 ```

 We get a notice that the key has expired.
	# Generate a key valid from 2018-04-01 to 2020-03-30

	We time travel using `faketime`

	```
	% faketime 2018-04-01 gpg --full-gen-key
	gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
	This is free software: you are free to change and redistribute it.
	There is NO WARRANTY, to the extent permitted by law.

	Please select what kind of key you want:
	(1) RSA and RSA (default)
	(2) DSA and Elgamal
	(3) DSA (sign only)
	(4) RSA (sign only)
	Your selection? 1
	RSA keys may be between 1024 and 4096 bits long.
	What keysize do you want? (3072) 2048
	Requested keysize is 2048 bits
	Please specify how long the key should be valid.
	0 = key does not expire
	<n> = key expires in n days
	<n>w = key expires in n weeks
	<n>m = key expires in n months
	<n>y = key expires in n years
	Key is valid for? (0) 2y
	Key expires at Tue 31 Mar 2020 00:00:11 AEST
	Is this correct? (y/N) y

	GnuPG needs to construct a user ID to identify your key.

	Real name: Test Key
	Email address: test@localhost
	Comment:
	You selected this USER-ID:
	"Test Key <test@localhost>"

	Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
	We need to generate a lot of random bytes. It is a good idea to perform
	some other action (type on the keyboard, move the mouse, utilize the
	disks) during the prime generation; this gives the random number
	generator a better chance to gain enough entropy.
	We need to generate a lot of random bytes. It is a good idea to perform
	some other action (type on the keyboard, move the mouse, utilize the
	disks) during the prime generation; this gives the random number
	generator a better chance to gain enough entropy.
	gpg: key 0xF72D7478A432973B marked as ultimately trusted
	gpg: directory '/home/justin/.gnupg/openpgp-revocs.d' created
	gpg: revocation certificate stored as '/home/justin/.gnupg/openpgp-revocs.d/55FA4E85E6896861CEA2E402F72D7478A432973B.rev'
	public and secret key created and signed.

	pub rsa2048/0xF72D7478A432973B 2018-03-31 [SC] [expires: 2020-03-30]
	55FA4E85E6896861CEA2E402F72D7478A432973B
	Key fingerprint = 55FA 4E85 E689 6861 CEA2 E402 F72D 7478 A432 973B
	uid Test Key <test@localhost>
	sub rsa2048/0x408D8AB45197C560 2018-03-31 [E] [expires: 2020-03-30]
	```

	# Export the key

	```
	% gpg --armor --export 0xF72D7478A432973B
	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mQENBFq/lHkBCADCgnDRMTrR26RATymwW9WzbhKAx1WEZYktVbtBO9cyI9fNSkLC
	HE3SG2PUWbPxKugAWSwk07LPfvqlL3LFd/qwF+paUJNEGquk+QTnyv7CA6F3Xh8X
	iWFmaDL/zUhXYD/G94lsv+NeY8UT2lQu8Vwh3cqQXszr71wOgbmWtbb96R+oAhf9
	rd790kFydf8Tk+6Kw63n3LB1nzHNPt5rrAkEOI93nf4skaLEwT6TUP2gEimuoWbv
	Puf+fFsrr86ts0jHYhYOm9LSRZMMnmhorZuQc2KlctTz7W+/ut+2YkLiegPWFRMr
	hSxHVyCcU/eZ0PPWh+7iTbt2MrgFZQ7j83GPABEBAAG0GVRlc3QgS2V5IDx0ZXN0
	QGxvY2FsaG9zdD6JAVQEEwEKAD4WIQRV+k6F5oloYc6i5AL3LXR4pDKXOwUCWr+U
	eQIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRD3LXR4pDKXO+d/
	B/9BibJyqZcPrI4eSqLO+Y9YkKWQ77XubCT4F9yPTsiXgiMpVFDSVehNVjsiN99d
	P8C2rncID04ylfyAqYGyKmkyCnRfSlNCg29+RUCraEPcCM8TsguCbFlrDI/AhFp5
	ZzMpQlacdfzaBhvtWxuimOPrV3DCku7eg4IYHb6XXLDWRehPfJxEU2WRdLrE3kiu
	PFNiw0d4By2llFD/I1In3jR08gkE5QHl2Kbflui1fh+Vib4CQ8RdFCO8aRKguKTy
	+CEP5KVada20zyMMzZg3rWP1YKhwalY3P4+Lxf0lJYbavXpYQNoSo4Dtu5vVpefo
	aENcLUJdpXX8H/B7fnE5MdjbuQENBFq/lHkBCADFFqDTHMxLoeO29M1POGs90S32
	2jCbpsV86u+bWz8J51cw/tCKmIOCr5Z5q8tNT5Hg4bfRhblpAqC3CWty3SBcO003
	BITnWKA9VzsKc5oXztUpXUuiTrebJsHsrmQwwpwlDKS65v6EywTwuTT+Lcqjdj4w
	cNE211XPoj4qWbdpBkSuDwVzJ0vcgPDw267dUsfQ9kPz3rFdNMES38LqLoRE+4cw
	55gNaGcFwAxNAq1p3OLOak17IbMiTkwcm/DVER1vGCwpo7XNNwGK0pDHEblSitqE
	hSub5IExjYClMxjNRBHPwAZEpXP9n0FyD6evSALYuivbbV/BJ6HQeCk8/QFnABEB
	AAGJATwEGAEKACYWIQRV+k6F5oloYc6i5AL3LXR4pDKXOwUCWr+UeQIbDAUJA8Jn
	AAAKCRD3LXR4pDKXO3AzB/9xDi86/JS+XKcHqy7gkkycalJowUyX9NIzXPvAkjkr
	1sOC+3xQcmaYnGsEFUH8iwJDaiwue6c/x/eMFXUcDLpWSR/Nql0ztkLPqsnOjtzl
	UQhQ5P69hxCqsRgy9iVFhRotaOLKS/IV8/KEOfnsx7U9m+R5Ax/BwKo6IL9n4QN5
	h2HRyRt86XPB+Wnu+E3EXxM/8EE/OfhU7SLVwwG7NgXz+zRXO7glUzdVfS1qk/iR
	bs6Eh1JorSKNsaQfmxXBBrh8HqXF0xP8bqr8FGLscHkvlv2W9Vj8Wq/RWH7Ag7Ed
	EQUm8jvCJqOBFBzRJp5rb3KCYyEhQvQR1xF/SBgvyiZB
	=n6co
	-----END PGP PUBLIC KEY BLOCK-----
	```

	# Sign a message

	We time travel to within the key validity peiod using `faketime`. Otherwise, gpg complains and refuses to use an expired key to do the signing.

	```
	% echo "My message" \| faketime 2018-04-02 gpg --clearsign -u 0xF72D7478A432973B
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	My message
	-----BEGIN PGP SIGNATURE-----

	iQEzBAEBCgAdFiEEVfpOheaJaGHOouQC9y10eKQylzsFAlrA5eAACgkQ9y10eKQy
	lztvBQf+Ptxx3oiDnScJFClec2WNuYrDL3H4Tv63OIEeN8tiJItpCSSQYB2oX6MZ
	nSegd6l5MHiBFEJ+lFi4JCqfUjoav/XhL9A94meCE9xI31B1Fo1yTWYob+8xLWZN
	n0Tx0AtM0k+7mFl902r0Cu+e5DOxalTReVQp5IHqxK4u1g7KQjIGWYM+WTb96H/Z
	RDapskb8T6zpN0D4IPZWPiUrLIKw+x3qSr8sNLGJMsKNRIyRLwYrSIDdVZIsmDzH
	wStwZkAEWP1NNGVi8PXK2SD/lLmGhhMhJIj93ld8IL3fboQ28fOGys1o/Dm1RT/3
	dfB3K1sM3dqxDa3WrJdk+pcZrcu4gQ==
	=dYoC
	-----END PGP SIGNATURE-----
	```

	# Confirm the message doesn't validate outside of the key validity period

	```
	% cat <<EOF \| gpg --verify
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	My message
	-----BEGIN PGP SIGNATURE-----

	iQEzBAEBCgAdFiEEVfpOheaJaGHOouQC9y10eKQylzsFAlrA5eAACgkQ9y10eKQy
	lztvBQf+Ptxx3oiDnScJFClec2WNuYrDL3H4Tv63OIEeN8tiJItpCSSQYB2oX6MZ
	nSegd6l5MHiBFEJ+lFi4JCqfUjoav/XhL9A94meCE9xI31B1Fo1yTWYob+8xLWZN
	n0Tx0AtM0k+7mFl902r0Cu+e5DOxalTReVQp5IHqxK4u1g7KQjIGWYM+WTb96H/Z
	RDapskb8T6zpN0D4IPZWPiUrLIKw+x3qSr8sNLGJMsKNRIyRLwYrSIDdVZIsmDzH
	wStwZkAEWP1NNGVi8PXK2SD/lLmGhhMhJIj93ld8IL3fboQ28fOGys1o/Dm1RT/3
	dfB3K1sM3dqxDa3WrJdk+pcZrcu4gQ==
	=dYoC
	-----END PGP SIGNATURE-----

	EOF

	gpg: Signature made Mon 02 Apr 2018 00:00:00 AEST
	gpg: using RSA key 55FA4E85E6896861CEA2E402F72D7478A432973B
	gpg: Good signature from "Test Key <test@localhost>" [expired]
	gpg: Note: This key has expired!
	Primary key fingerprint: 55FA 4E85 E689 6861 CEA2 E402 F72D 7478 A432 973B
	```

	We get a notice that the key has expired.