gpg expiration TIME?

I have a licence that I’m signing with:

gpg --default-sig-expire "2024-02-14" --sign licence

This results in:

$ gpg --verify licence.gpg
gpg: Signature made Tue 13 Feb 2024 08:18:39 AM CET
gpg:                using RSA key 1234567890ABCDEF1234567890ABCDEF
gpg:                issuer "stew@unix.stackexchange.com"
gpg: Good signature from "Stewart <stew@unix.stackexchange.com>" [ultimate]
gpg: Signature expires Wed 14 Feb 2024 12:00:00 PM CET

The 12:00:00 PM CET is my problem. I’m usually going for lunch at that time. I’d rather not get phone calls about systems going offline while I’m at lunch. Is it possible to specify the time? I’d rather it expired at 13:00:00 PM CET.


--ask-sig-expire only prompts you for the number of days/weeks/years:

$ gpg --ask-sig-expire --sign licence
Please specify how long the signature should be valid.
         0 = signature does not expire
      <n>  = signature expires in n days
      <n>w = signature expires in n weeks
      <n>m = signature expires in n months
      <n>y = signature expires in n years
Signature is valid for? (0) 

ISO 8601 doesn’t seem supported:

$ gpg --default-sig-expore "2024-02-14T13:00:00+02:00" --sign licence
gpg: '2024-02-14T13:00:00+02:00' is not a valid signature expiration

The man systemd.time specification doesn’t seem supported

$ gpg --default-sig-expire "2024-02-14 13:00:00" --sign licence
gpg: '2024-02-14 13:00:00' is not a valid signature expiration

The man page also doesn’t suggest that a time is possible:

--default-sig-expire
       The default expiration time to use for signature expiration. Valid values 
       are "0" for no expiration, a number followed by the letter d (for days), 
       w (for weeks), m (for months), or  y (for years) (for example "2m" for two 
       months, or "5y" for five years), or an absolute date in the form 
       YYYY-MM-DD. Defaults to "0".

The only solution I’ve found, is to change my system’s time zone to the next timezone west of me, then sign, then set my system’s time zone back to my original time.

$ sudo mv /etc/localtime{,.backup} 
$ sudo ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
$ gpg --default-sig-expire "2024-02-14" --sign licence
$ sudo mv /etc/localtime{.backup,}
$ gpg --verify licence.gpg
gpg: Signature made Tue 13 Feb 2024 08:18:39 AM CET
gpg:                using RSA key 1234567890ABCDEF1234567890ABCDEF
gpg:                issuer "stew@unix.stackexchange.com"
gpg: Good signature from "Stewart <stew@unix.stackexchange.com>" [ultimate]
gpg: Signature expires Wed 14 Feb 2024 01:00:05 PM CET
Asked By: Stewart

||

The only format accepted by --default-sig-expire with a time specification is YYYYMMddTHHmmss[Z]:

gpg --default-sig-expire 20240214T130000 --sign license

Any timezone specifier is ignored, and daylight savings time is ignored too; so currently in Europe this produces an expiration time one hour later than the time specified. Processing time also affects the ultimate signature expiry; for example, if gpg prompts for anything (e.g. to confirm overwriting an existing signed file), the incurred delay pushes the expiration back.

To check this, look for the --default-sig-expire definition, then determine that the option’s value is parsed using parse_expire_string, which knows about a number of formats. The only one of those which accepts an absolute timestamp including hours, minutes, and seconds, is isotime2epoch (and its 64-bit time_t variant), with a comment specifying

The only supported format is "yyyymmddThhmmss[Z]" delimited by white space, nul, a colon or a comma.

Answered By: Stephen Kitt
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.