6

I have a friend who has an OpenPGP key and I was enjoying to have someone to write encrypted mails to. However, after 3 years his key just expired last month and now Thunderbird (with Enigmail plugin) does not allow me to encrypt the mails anymore.

I am wondering: Technical, there should be no issue to use an expired key to encrypt a message?

I already informed him his key is expired but he got his first son very recently and told me he currently has no time to renew his key (you know, didding up the master key, booting a secure live system, etc. pp.). I fully understand that this may take some time until he finds the time to do this.

However, now Thunderbird does not allow me to encrypt the messages anymore because his key is expired. I am wondering, what is worse, an expired key or unencrypted mails?

Isn't it possible to send an encrypted message to a user with an expired OpenPGP key?

Jens Erat
  • 18,485
  • 14
  • 68
  • 80
q9f
  • 1,192

2 Answers2

6

GnuPG does not have an option to use "unusable" keys anyway (ie., those that are revoked or expired). You'll have to fiddle with the system time, as already proposed.

Faking Time with GnuPG Debug Options

GnuPG even has an option for this (reading unix epoche timestamps or ISO date values like --faked-system-time 2010-12-24T180000), but this is only enabled when compiled with debug flags.

faketime tool

For Linux systems (and probably other unixoid operating systems), there is the handy faketime tool, which allows to run another program with a faked system time (and some more features like speeding up time for the application called):

faketime 2010-12-24 gpg --recipient your-recipient --encrypt

I didn't try with Thrunderbird: you might have to start Thunderbird with this option, or manually start a gpg-agent --daemon with faketime. Starting Thunderbird with a faked system time might result in a bunch of other problems, like invalid X.509 certificates for TLS connections. But for some few messages, probably composing the encrypted message manually and then pasting the ASCII-armored contents as "inline PGP" to Thunderbird should be fine.

Changing System Time

As last resort, you'll have to drop to changing the system time, which will work on all operating systems (but shares the issue of X.509 certificates not valid yet, but for all applications).

Jens Erat
  • 18,485
  • 14
  • 68
  • 80
1

I just played it a little on GnuPG's command line but I found no option to persuade GnuPG to use an expired key.

You can tweak your own computers clock but this might create other problem.

So the only hope is that your friend creates a new key or extends the expiration date of the existing key.

user396309
  • 76