The Linux Page

Expired gpg key

Horse Eye Close Up

In the last two days, my Thunderbird installation was complaining about my GPG encryption key saying it was expired.

Error while saving draft - The key Alexis Wilke <alexis@m2osw.com> (key ID 0x123123123) has expired.

The interesting fact is that I created that key a long time ago so I guess even if you create a key for like 10 years, it still can expire... indecision

I found this page by Henning Koch with very simple list of steps on how to update the key. Here I have an updated copy. His page has a few other options you may also be interested in.

On my end, I have Thunderbird and the error message as shown above has the key identifier necessary to do the update. So step 1 is easy:

WARNING: you probably want to read step 10 first...

1. Select the Key in your Thunderbird error message and hit Ctrl-C (Copy)

You can also see a list of your GPG keys with

$ gpg --list-keys

Note that the ID is that long hexadecimal number and the second half of that number is enough in most cases. The problem here is you may have many other keys. Use less if you really have many:

$ gpg --list-keys | less

2. Enter the gpg interactive editor

Everything will be done in your console with the gpg tool like so:

$ gpg --edit-key KEY-ID

Note: From my example above, the KEY-ID would be: 123123123.

This gives you a prompt within gpg. The following instructions assumes you are at that prompt until you use the save command. The new prompt is "gpg> ".

3. On entry, gpg shows you your key

When entering the gpg prompt, it displays a few messages: license, whether the secret key is available and then the actualy keys.

> Secret key is available.

If you don't get that message about the secret key, then you won't be able to update it. The secret key is what allows you to encrypt/decrypt, so without it, it won't let you change the expiration date.

If you want to list your key again at a later time, you can use:

gpg> list

4. Select the key to update

Assuming your key works like mine, you will have two keys displayed: the primary key and the subkey. By default neither is selected. To change the expiration date, you need to select one of these two keys with:

gpg> key <number>

Where <number> is either 0 or 1. I started with 0, then fixed the expiration date and then used 1 to change the other key expiration date.

5. Change the expiration date

Now we use the expire command like so:

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Mon 29 Jul 2024 12:28:13 PM PDT
Is this correct? (y/N) y

As we can see, the expire command gives you a menu to select from. You can enter a number of days, weeks (number followed by w), months (number followe by m), years (number followed by y) or 0 to cancel key expiration altogether (which is probably not a good idea).

Once you entered the number you wanted, expire shows you the new expiration date. If that looks correct, then say yes (type y and enter). Now expire prints the keys again with the new expiration date.

6. Repeat for subkey

After changing the primary key, gpg tells you that the other key is expired. Now you have to do:

gpg> key 1
gpg> expire

to update that subkey.

7. Verify Changes

Once you changed the subkey, the expire command prints out the results and no errors. Next you can verify the results with the following command:

gpg> list

If satisfied with the results, you can move on to the next step.

Note: the list command essentially shows you the same results as the expire. It has a few additional details, though.

8. Save the results

Now you can save the results with:

gpg> save

And you're done with the GPG update of the expiration date. Notice that after the save command you get your standard console prompt back (unless an error occurs). However, there are a few more steps to run to make sure that it all works.

9. Publish your new public key

You want to publish your key to various key servers. Here I show you the URL to the Ubuntu key server, but feel free to add your key to any (safe) key server available out there, just change the domain name.

gpg --keyserver keyserver.ubuntu.com --send-keys KEY-ID

Note: From my example above, the KEY-ID would be: 123123123.

Note that sending the key to other servers can be useful as fallbacks for people would want to send you encrypted messages.

10. Update your key in Thunderbird

I suggest that you reopen thunderbird...

... and then I noticed that you could extend your key directly inside Thunderbird with a couple of clicks! Darn.

Go to menu Tools » OpenPGP Key Manager

In there you'll see the expired key. Double click on it and in that new dialog, you'll see a Change Expiration Date button. Click on that and select the new expiration date or "no expiration".