Bug 358392

Summary: Key could not be certified. Certificate expired, but NOT!
Product: [Applications] kleopatra Reporter: rigel3925-w8v2
Component: generalAssignee: Andre Heinecke <aheinecke>
Status: RESOLVED FIXED    
Severity: normal CC: franzschrober, KDE, kdepim-bugs, mattm3a, mutz
Priority: NOR    
Version: 2.2.0   
Target Milestone: ---   
Platform: Microsoft Windows   
OS: Microsoft Windows   
Latest Commit: Version Fixed In:

Description rigel3925-w8v2 2016-01-22 21:42:43 UTC
The date is between the dates in the columns labeled "Valid From" and "Valid Until"; however, trying to certify the Facebook certificate  generates an error window that says, "The certificate could not be certified. Error: Certificate expired."





Reproducible: Always

Steps to Reproduce:
1. Put PGP public key in Facebook About/Contact section, and receive encrypted confirmation email via Thunderbird.
2. Import Facebook public key from keyserver while reading email in Thunderbird
3. In Kleopatra confirm the imported key fingerprint from the one published at:
https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302?__mref=message_bubble
Comment 1 rigel3925-w8v2 2016-01-22 22:02:13 UTC
I have previously relocated my directory "Documents and Settings/<user>" from a solid state drive partition mounted as C: to a normal hard drive partition on another drive letter.
The subdirectory "/Application Data/gnupg" was created there.
Comment 2 rigel3925-w8v2 2016-01-22 22:26:41 UTC
Additionally, I had deleted the gnupg directory containing keyring data and imported my certificate from a backup copy.
Comment 3 Andre Heinecke 2016-02-19 18:01:56 UTC
The error indicates that the Certificate you want to use is expired and not that the certificate you are trying to sign is expired. So check that your own certificate that you want to use to certifiy facebooks certificate is not expired.

Kleopatra should not offer to use an expired certificate for certification. I've just checked that it does and this leads to exactly your error (the error comes from gnupg so nothing we can do about that).
I'll fix that you can't select expired or revoked certificates for certification anymore.
Comment 4 Andre Heinecke 2016-02-19 18:02:06 UTC
Git commit 3059055775c4921db3d56de9f6b0a12579a15f3b by Andre Heinecke.
Committed on 19/02/2016 at 17:59.
Pushed by aheinecke into branch 'master'.

Do not show unusable certificates for certify

Trying to certify a UID with a revoked or expired certificate
fails in GnuPG. So Kleopatra should not even offer that.

M  +8    -6    kleopatra/commands/certifycertificatecommand.cpp

http://commits.kde.org/kdepim/3059055775c4921db3d56de9f6b0a12579a15f3b
Comment 5 rigel3925-w8v2 2016-02-21 04:26:57 UTC
The certificate that I created for myself to start using Facebook's email encryption says that it is valid "from 2016-01-22 12:55 until forever" in the "Overview" tab of the "Certificate Details" window accessible by right clicking the certificate in the "All Certificates" list.  The only other certificate in the list is the Facebook one that is valid until 2018-05-17. I only started using Kleopatra and Enigmail 1.8.2 out of curiosity about the encrypted communications features that Facebook has rolled out.
Comment 6 rigel3925-w8v2 2016-02-21 04:44:00 UTC
I have successfully received several encrypted birthday notification emails from Facebook.
Comment 7 rigel3925-w8v2 2016-02-21 06:09:45 UTC
You're sure there are no incorrect parameters passed to the gpg subsystem? 

I'm done with this too, because I don't know anything about the interface between gpg and kleopatra.
Comment 8 Andre Heinecke 2016-02-22 09:11:37 UTC
I've tested here that with an unexpired certificate it worked fine. But trying to sign another certificate with an expired certificate caused the error you've mentioned.

I've now downloaded facebooks certificate and tried to sign that and could reproduce the problem you've described. Kleopatra tells me certificate expired although my own certificate is not expired.

So -> Reopened :-)
Comment 9 Andre Heinecke 2016-02-22 09:13:44 UTC
The problem is likely that while the primary key is not expired it contains an expired subkey and Kleopatra does not handle this correctly.
Comment 10 rigel3925-w8v2 2016-03-05 07:05:44 UTC
There seems to be a subkey in the key I created for myself; however, the "good through date" is the same as the main key. They are both good forever with no expiration date. 

I couldn't decide when to expire my key so I selected forever. Is that something not usually done? Well, that's what I did it.
Comment 11 Andre Heinecke 2016-04-08 16:59:12 UTC
*** Bug 325760 has been marked as a duplicate of this bug. ***
Comment 12 Andre Heinecke 2016-04-08 17:21:03 UTC
*** Bug 206686 has been marked as a duplicate of this bug. ***
Comment 13 rigel3925-w8v2 2016-04-09 05:43:06 UTC
Since my last comment I have stopped using Windows XP (32 bit) due to Google Chrome announcing an end of support date. I installed Windows 7 64-bit on a fresh partition along with Thunderbird, Enigmail and Kleopatra. I've redirected my documents directories to another drive partition, but I have left "documents and settings" alone since it's protected and I haven't blindly followed anyone's hacks yet.

I still get the same error when trying to certify Facebook's public certificate which is the only other certificate besides my own I have stored so far:

The certificate could
not be certified.
Error: Certificate
expired

My certificate is valid forever, and Facebook's is valid until 2018-05-17; two more years from now.
    .    .    .
I now see under "Technical Details" that Facebook's certificate has a part that will expire on 2016-06-12, two months from now, and a part that expired 2015-11-14, before I started trying to certify the certificate. 

Facebook has two fingerprints published--one for the main key and one for an "operational subkey". Instead having only one personal certification for the entirety of Facebook's certificate, it appears that each component part of the certificate should be independently certified with the different published fingerprints. The code in Kleopatra needs to be expanded in this way.

Is encrypted email starting to take off and become ubiquitous now?
Comment 14 Andre Heinecke 2016-04-29 14:50:49 UTC
I've analyzed this a bit more. Kleopatra is not to blame here I think. As soon as it asks GnuPG "Hey I wish to modify this certificate" GnuPG sends an error "Certificate Expired". I can reproduce it on the command line with GnuPG directly if I call it in a similar way as it is called by Kleopatra.

I've reported this upstream, maybe kleopatra should ignore that error but I find it strange.
https://bugs.gnupg.org/gnupg/issue2339
Comment 15 Andre Heinecke 2016-06-27 13:20:06 UTC
Git commit 1bc61d71db86c28c4306aed129f133a2c3cce6e9 by Andre Heinecke.
Committed on 27/06/2016 at 13:07.
Pushed by aheinecke into branch 'master'.

Do not treat KEYEXPIRED as error

GnuPG doc/DETAILS already mentions that this status code
is of limited usefulness as it is emited as soon as one
subkey is expired. So this can't be used as an error indication.

Backport of GpgME Commit: 82d484c8

Merge: None. This needs rev. 3872dcaa to actually make the commands
work.

M  +0    -2    src/editinteractor.cpp

http://commits.kde.org/gpgmepp/1bc61d71db86c28c4306aed129f133a2c3cce6e9
Comment 16 Andre Heinecke 2016-06-27 13:22:26 UTC
This will be fixed in Gpg4win-3.0.0 / The next beta we will release there. (Probably sometime in the next two weeks)

Betas are announced on gpg4win-devel mailing list and can be found under
https://wiki.gnupg.org/Gpg4win/Testversions

Thanks for your help reporting this.
Comment 17 KDE 2017-02-01 11:11:26 UTC
I'm still getting this behaviour in Kubuntu 16.04.