Ubuntu PGP keyserver computes incorrect expiry times
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hockeypuck |
New
|
Undecided
|
Unassigned |
Bug Description
The Ubuntu keyserver website (http://
*PRIMARY KEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
rather than:
*SUBKEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
where:
- PRIMARY KEY CREATION TIME refers to the key creation timestamp
stored in the key's Public Key Packet (packet Tag 6);
- SUBKEY CREATION TIME refers to the subkey creation timestamp stored
in the Public Subkey Packet (packet Tag 14) for a given subkey; and
- SUBKEY VALIDITY DURATION refers to the value given in the
Key Expiration Time field (signature subpacket Type 9) of a
Signature Packet (packet Tag 2) that pertains to the given subkey;
subject to the definitions given in RFC 4880.
* * *
For example, the key with the following fingerprint exhibits this bug:
C62A 7455 5725 AB6D BA14 D1C2 92C8 C442 E2EE C796; which can be found at:
https:/
The key expiry times stated in signatures listed for:
- the primary key (0xE2EEC796, created at 2019-01-
- the subkey which was created at the same time as the primary key
(0x6C9E5795, also created at 2019-01-
are correct, but those listed for the other subkeys (0xD0D6987A, 0x0D75406B, 0x98CD505A) are incorrect, in the manner described above. (NOTE: The creation times of the signatures themselves are listed correctly; it is only the key expiration times that are affected.)
In particular:
- the expiry time of 0xD0D6987A given in the signature created at
2020-
should be 2020-06-
- the expiry times of 0x0D75406B and 0x98CD505A given in each of the
signatures created at 2020-07-
2019-
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
affects: | ubuntu → hockeypuck |