The Ubuntu keyserver website (http://keyserver.ubuntu.com and https://keyserver.ubuntu.com) shows incorrect expiry times for subkeys of some
keys (though what specific conditions must be met to cause to bug, I am not
sure). However, the key material stored on the keyserver is correct, and thus
if the key is downloaded and imported into a local OpenPGP client (e.g. GnuPG),
all expiry times are reported correctly. Thus, this bug only appears to affect
the website frontend (that is, the expiry times which users will see if looking
at search results on the website). This appears to be because the expiry times
shown on the website for subkeys are computed as:
*PRIMARY KEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
rather than:
*SUBKEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
where:
- PRIMARY KEY CREATION TIME refers to the key creation timestamp stored in
the key's Public Key Packet (packet Tag 6);
- SUBKEY CREATION TIME refers to the subkey creation timestamp stored in
the Public Subkey Packet (packet Tag 14) for a given subkey; and
- SUBKEY VALIDITY DURATION refers to the value given in the Key Expiration
Time field (signature subpacket Type 9) of a Signature Packet (packet
Tag 2) that pertains to the given subkey;
The key expiry times stated in signatures listed for:
- the primary key (0xE2EEC796, created at 2019-01-10T00:03:22Z); and
- the subkey which was created at the same time as the primary key (0x6C9E5795, also created at 2019-01-10T00:03:22Z);
are correct, but those listed for the other subkeys (0xD0D6987A, 0x0D75406B,
0x98CD505A) are incorrect, in the manner described above. (NOTE: The creation
times of the signatures themselves are listed correctly; it is only the key
expiration times that are affected.)
In particular:
- the expiry time of 0xD0D6987A given in the signature created at 2020-06-24T19:51:57Z is listed as 2019-07-06T01:36:20Z, when it should
be 2020-06-30T23:59:59Z;
- the expiry times of 0x0D75406B and 0x98CD505A given in each of the
signatures created at 2020-07-01T00:00:01Z are listed as 2019-01-10T00:03:24Z, when they should be 2020-07-01T00:00:02Z.
The Ubuntu keyserver website (http:// keyserver. ubuntu. com and /keyserver. ubuntu. com) shows incorrect expiry times for subkeys of some
https:/
keys (though what specific conditions must be met to cause to bug, I am not
sure). However, the key material stored on the keyserver is correct, and thus
if the key is downloaded and imported into a local OpenPGP client (e.g. GnuPG),
all expiry times are reported correctly. Thus, this bug only appears to affect
the website frontend (that is, the expiry times which users will see if looking
at search results on the website). This appears to be because the expiry times
shown on the website for subkeys are computed as:
*PRIMARY KEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
rather than:
*SUBKEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;
where:
- PRIMARY KEY CREATION TIME refers to the key creation timestamp stored in
the key's Public Key Packet (packet Tag 6);
- SUBKEY CREATION TIME refers to the subkey creation timestamp stored in
the Public Subkey Packet (packet Tag 14) for a given subkey; and
- SUBKEY VALIDITY DURATION refers to the value given in the Key Expiration
Time field (signature subpacket Type 9) of a Signature Packet (packet
Tag 2) that pertains to the given subkey;
subject to the definitions given in RFC 4880.
* * *
For example, the key with the following fingerprint exhibits this bug: /keyserver. ubuntu. com/pks/ lookup? search= 0x92C8C442E2EEC 796&op= index
C62A 7455 5725 AB6D BA14 D1C2 92C8 C442 E2EE C796; which can be found at:
https:/
The key expiry times stated in signatures listed for:
- the primary key (0xE2EEC796, created at 2019-01- 10T00:03: 22Z); and
- the subkey which was created at the same time as the primary key
(0x6C9E5795, also created at 2019-01- 10T00:03: 22Z);
are correct, but those listed for the other subkeys (0xD0D6987A, 0x0D75406B,
0x98CD505A) are incorrect, in the manner described above. (NOTE: The creation
times of the signatures themselves are listed correctly; it is only the key
expiration times that are affected.)
In particular:
- the expiry time of 0xD0D6987A given in the signature created at
2020-06- 24T19:51: 57Z is listed as 2019-07- 06T01:36: 20Z, when it should 30T23:59: 59Z;
be 2020-06-
- the expiry times of 0x0D75406B and 0x98CD505A given in each of the 01T00:00: 01Z are listed as
2019-01- 10T00:03: 24Z, when they should be 2020-07- 01T00:00: 02Z.
signatures created at 2020-07-