40

I renewed my gpg key pair, but I am still receiving the following error from gpg. 

gpg: WARNING: Your encryption subkey expires soon.
gpg: You may want to change its expiration date too.

How can I renew the subkey?

cgl
  • 1,031
  • 1
  • 8
  • 12
  • Does this answer your question? [How to renew an expired keypair with gpg](https://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg) – Jonas Stein Jan 06 '20 at 15:57

3 Answers3

53

List your keys.


$ gpg --list-keys
...
-------------------------------
pub   rsa2048 2019-09-07 [SC] [expires: 2020-11-15]
      AF4RGH94ADC84
uid           [ultimate] Jill Doe (CX) <[email protected]>
sub   rsa2048 2019-09-07 [E] [expired: 2019-09-09]

pub   rsa2048 2019-12-13 [SC] [expires: 2020-11-15]
      7DAA371777412
uid           [ultimate] Jill Doe <[email protected]>
-------------------------------
...

We want to edit key AF4RGH94ADC84. The subkey is the second one in the list that is named ssb


$ gpg --edit-key AF4RGH94ADC84

gpg> list

sec  rsa2048/AF4RGH94ADC84
     created: 2019-09-07  expires: 2020-11-15  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/56ABDJFDKFN
     created: 2019-09-07  expired: 2019-09-09  usage: E
[ultimate] (1). Jill Doe (CX) <[email protected]>

So we want to edit the first subkey (ssb)

ssb  rsa2048/56ABDJFDKFN
     created: 2019-09-07  expired: 2019-09-09  usage: E
[ultimate] (1). Jill Doe (CX) <[email protected]>

When you select key (1), you should see the * next to it such as ssb*. Then you can set the expiration and then save.

gpg> key 1

sec  rsa2048/AF4RGH94ADC84
     created: 2019-09-07  expires: 2020-11-15  usage: SC
     trust: ultimate      validity: ultimate
ssb*  rsa2048/56ABDJFDKFN
     created: 2019-09-07  expired: 2019-09-09  usage: E
[ultimate] (1). Jill Doe (CX) <[email protected]>

gpg> expire
...

Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Key is valid for? (0) 2y
Key expires at Wed 9 Sep 16:20:33 2021 GMT
Is this correct? (y/N) y

sec  rsa2048/AF4RGH94ADC84
     created: 2019-09-07  expires: 2020-11-15  usage: SC
     trust: ultimate      validity: ultimate
ssb*  rsa2048/56ABDJFDKFN
     created: 2019-09-07  expires: 2021-09-09  usage: E
[ultimate] (1). Jill Doe (CX) <[email protected]>
...

gpg> save

Don't forget to save the changes before quitting!

cgl
  • 1,031
  • 1
  • 8
  • 12
  • 3
    Thanks for the detailed instruction, it saved my day. Not sure why `gpg` is designed in such a confusing fashion which forces you to look for the answer everywhere. – Jianwu Chen Jul 29 '21 at 08:48
  • 1
    The most confusing part (that brings me back to this answer once a year) is that you have to use `expire` to renew a key. – Yan Foto May 10 '22 at 16:12
1

There is (a newer?) option in gpg (2.2.41) where you can extend all your subkeys at once with only the command:
gpg --quick-set-expire <1> <2> <3>

meaning:

<1> fingerprint of your key (from gpg --list-secret-keys)
<2> how long you would like to extend the expiration period
<3> optionally, the subkey fingerprints to extend ('*' to extend all non-expired subkeys)

e.g.:
gpg --quick-set-expire 7BCDED693SECRETKEY1552ACB71237 7w '*'

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
MacMartin
  • 2,844
  • 2
  • 18
  • 22
  • Usage is wrong:```usage: gpg [options] --quick-set-exipre FINGERPRINT EXPIRE [SUBKEY-FPRS] ``` – arved Apr 28 '23 at 10:56
  • yes thanks, I will correct that – MacMartin Apr 28 '23 at 11:13
  • `*` works only for not yet expired sub-keys. – Rudolf Adamkovic May 04 '23 at 13:01
  • And where am I supposed to retrieve SUBKEY-FPRS? I've tried the subkeys keygrips, and they are rejected; there's also a 'fpr' command to show the fingerprint of a key, but that only shows the fingerprint of the main key. – user30747 Jul 26 '23 at 18:26
  • @user30747: in the edit-key dialog `fpr *` includes subkeys, but I'm not sure about expired and don't currently have one to test. At commandline (where you would do `--quick-set-expire`) `gpg -K --with-subkey-fingerprint [--list-options=show-unusable-subkeys]` – dave_thompson_085 Aug 12 '23 at 01:36
-2

I solved this by installing and using openPGP. Click on the "expire" button; it won't accept "never expires", but you can set a date in the future.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Peter Allen
  • 1
  • 1