How to force gpg2 to use expired key?

Question

$ gpg -ear XXXXXXX
gpg: XXXXXXXX: skipped: unusable public key

$ gpg --debug-ignore-expiration -ear XXXXXXXX
gpg: Invalid option "--debug-ignore-expiration"

How to encrypt? There are no updates for the key available from keyservers. Messages should be seen if user still has that expired key or not seen at all.

Is there some --just-do-that-I-want option that will allow to do this without of changing the source code of GPG?

why you wanna do this? It basically breakes up the whole security Thing GPG is about you can literally just send it Cleartext if you do this. I recommend you to just ask the Receiving Person to update its Public Key — konqui, Jan 12 '18 at 12:22
Using long-expired key gives better security compared to using no key at all. Also one may need to decrypt old message from archive using old long-expired key. — Vi., Jan 12 '18 at 12:34
Shure also possibly broken Encryption is better than no Encryption at all. I just overstate it because of Reasons. For old Messages encrypted with the old Public Key back then, yes he needs to use his old Private Key but that does not me he can‘t create an new Keypair to use for new Messages. So there is really no Reason to use an outdated Public Key. Private Key is another Thing but i never had gpg complaining on using an outdated Private Key for Decription. — konqui, Jan 12 '18 at 13:07

score 16 · Answer 1 · answered Nov 27 '19 at 15:52

16

Use the --faked-system-time option:

gpg2 --faked-system-time 20100101T000000 -e -r keyid

I would prefer an option that would force encryption to an expired key while also recording the correct time (especially when signing).

answered Nov 27 '19 at 15:52

Margaret

161
1
3

Vi. · Accepted Answer · 2018-01-12T12:43:16.040

As @rob suggested in comments, libfaketime handles this well:

$ gpg  -v -v -v --batch --trust-model always -ear D5B9D38C <<< "qweqe"
gpg: using character set 'utf-8'
gpg: Note: signature key 077EA269D5B9D38C expired Sun 09 Nov 2014 12:57:25 PM +03
gpg: D5B9D38C: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key

$ faketime  '2012-12-24 08:15:42'  gpg  -v -v -v --batch --trust-model always -ear D5B9D38C <<< "qweqe"
gpg: using character set 'utf-8'
gpg: using subkey 85231B396B9569ED instead of primary key 077EA269D5B9D38C
gpg: No trust check due to '--trust-model always' option
gpg: reading from '[stdin]'
gpg: writing to stdout
gpg: RSA/AES256 encrypted for: "..."
-----BEGIN PGP MESSAGE-----
...

Old answer:

Start UML (user mode linux)
Set date inside UML to acceptable range.
Encrypt message in UML

Can also fake the date using libfaketime. Same idea as answer, but might be easier for some. — rob, Dec 03 '12 at 05:48
there seriously is no --force option, so just a date hack only does it? m( — mcantsin, Sep 15 '16 at 04:25

score 1 · Answer 3 · answered Jan 11 '18 at 23:56

1

Reset hardware and system clock:

sudo hwclock --set --date "12/31/2017 23:59:59" && \
sudo hwclock --hctosys && \
gpg --sign-with $keyid --clearsign --armor < $file

Afterwards (I hope you have NTP enabled) fix your hardware clock with:

sudo hwclock --systohc

answered Jan 11 '18 at 23:56

guest

19
1

3

Too drastic. The time should be overridden just for gpg, not for the whole system. – Vi. Jan 12 '18 at 12:23
2

`faketime '2012-12-24 08:15:42' gpg ...` is better. – Vi. Jan 12 '18 at 12:39
`--faked-system-time` is even better. – Jonathan Cross Jan 04 '21 at 22:40

How to force gpg2 to use expired key?

3 Answers3