I am trying to get cert expiration data from a .PGP file, so I ran this command:
$ gpg --list-packets ./mycert.pgp
This is the resultant output, with the parts I perceive as relevant highlighted using the notation “<—— HERE”:
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
version 4, algo 1, created 1658851728,expires 0 <-------- HERE
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 067A7B47D1B82B2E
# off=272 ctb=b4 tag=13 hlen=2 plen=59
:user ID packet: "Chuck Smith [email protected]"
# off=333 ctb=89 tag=2 hlen=3 plen=320
:signature packet: algo 1, keyid 067A7B47D1B82B2E
version 4, created 1658851728, md5len 0, sigclass 0x10
digest algo 8, begin of digest 31 67
**hashed subpkt 2 len 4 (sig created 2022-07-26) <-------- HERE
hashed subpkt 9 len 4 (key expires after 1y98d0h0m)** <-------- HERE
hashed subpkt 11 len 8 (pref-sym-algos: 2 1 3 7 8 9 10 4)
…and so on. It goes on and on, but these are the parts I spotted that seemed to be about expiration.
The first line I called out says “expires 0” and seems to me to imply that the cert will never expire. The second and third call-outs seem to imply an expiration date that’s already passed (July 26th, 2022 plus 1 year, 98 days).
The second and third lines seem more explicit. The first line is much more terse. So, if you showed me this data without context, and pressed me for an answer, I would probably say “this cert is expired.”
However, so far as I can tell, this cert continues to work well for the purpose I am using it for (asymmetric key encryption for a recipient outside my company). Everyone is still getting their data and is able to decrypt it.
So, I have two theories:
-
The cert is expired, but the key-pair remains mathematically valid for encryption purposes. We’re still using it, and neither of us cares to validate or enforce the putative expiration date.
-
The cert really does never expire, as per the first line I called out. The GPG output format is a bit obscure, and the second and third line I called out mean something, but they don’t represent the data I am looking for.
I am leaning towards option 1 above, but I am curious what others know about this. Thanks!