The date is between the dates in the columns labeled "Valid From" and "Valid Until"; however, trying to certify the Facebook certificate generates an error window that says, "The certificate could not be certified. Error: Certificate expired."
Steps to Reproduce:
1. Put PGP public key in Facebook About/Contact section, and receive encrypted confirmation email via Thunderbird.
2. Import Facebook public key from keyserver while reading email in Thunderbird
3. In Kleopatra confirm the imported key fingerprint from the one published at:
I have previously relocated my directory "Documents and Settings/<user>" from a solid state drive partition mounted as C: to a normal hard drive partition on another drive letter.
The subdirectory "/Application Data/gnupg" was created there.
Additionally, I had deleted the gnupg directory containing keyring data and imported my certificate from a backup copy.
The error indicates that the Certificate you want to use is expired and not that the certificate you are trying to sign is expired. So check that your own certificate that you want to use to certifiy facebooks certificate is not expired.
Kleopatra should not offer to use an expired certificate for certification. I've just checked that it does and this leads to exactly your error (the error comes from gnupg so nothing we can do about that).
I'll fix that you can't select expired or revoked certificates for certification anymore.
Git commit 3059055775c4921db3d56de9f6b0a12579a15f3b by Andre Heinecke.
Committed on 19/02/2016 at 17:59.
Pushed by aheinecke into branch 'master'.
Do not show unusable certificates for certify
Trying to certify a UID with a revoked or expired certificate
fails in GnuPG. So Kleopatra should not even offer that.
M +8 -6 kleopatra/commands/certifycertificatecommand.cpp
The certificate that I created for myself to start using Facebook's email encryption says that it is valid "from 2016-01-22 12:55 until forever" in the "Overview" tab of the "Certificate Details" window accessible by right clicking the certificate in the "All Certificates" list. The only other certificate in the list is the Facebook one that is valid until 2018-05-17. I only started using Kleopatra and Enigmail 1.8.2 out of curiosity about the encrypted communications features that Facebook has rolled out.
I have successfully received several encrypted birthday notification emails from Facebook.
You're sure there are no incorrect parameters passed to the gpg subsystem?
I'm done with this too, because I don't know anything about the interface between gpg and kleopatra.
I've tested here that with an unexpired certificate it worked fine. But trying to sign another certificate with an expired certificate caused the error you've mentioned.
I've now downloaded facebooks certificate and tried to sign that and could reproduce the problem you've described. Kleopatra tells me certificate expired although my own certificate is not expired.
So -> Reopened :-)
The problem is likely that while the primary key is not expired it contains an expired subkey and Kleopatra does not handle this correctly.
There seems to be a subkey in the key I created for myself; however, the "good through date" is the same as the main key. They are both good forever with no expiration date.
I couldn't decide when to expire my key so I selected forever. Is that something not usually done? Well, that's what I did it.
*** Bug 325760 has been marked as a duplicate of this bug. ***
*** Bug 206686 has been marked as a duplicate of this bug. ***
Since my last comment I have stopped using Windows XP (32 bit) due to Google Chrome announcing an end of support date. I installed Windows 7 64-bit on a fresh partition along with Thunderbird, Enigmail and Kleopatra. I've redirected my documents directories to another drive partition, but I have left "documents and settings" alone since it's protected and I haven't blindly followed anyone's hacks yet.
I still get the same error when trying to certify Facebook's public certificate which is the only other certificate besides my own I have stored so far:
The certificate could
not be certified.
My certificate is valid forever, and Facebook's is valid until 2018-05-17; two more years from now.
. . .
I now see under "Technical Details" that Facebook's certificate has a part that will expire on 2016-06-12, two months from now, and a part that expired 2015-11-14, before I started trying to certify the certificate.
Facebook has two fingerprints published--one for the main key and one for an "operational subkey". Instead having only one personal certification for the entirety of Facebook's certificate, it appears that each component part of the certificate should be independently certified with the different published fingerprints. The code in Kleopatra needs to be expanded in this way.
Is encrypted email starting to take off and become ubiquitous now?
I've analyzed this a bit more. Kleopatra is not to blame here I think. As soon as it asks GnuPG "Hey I wish to modify this certificate" GnuPG sends an error "Certificate Expired". I can reproduce it on the command line with GnuPG directly if I call it in a similar way as it is called by Kleopatra.
I've reported this upstream, maybe kleopatra should ignore that error but I find it strange.
Git commit 1bc61d71db86c28c4306aed129f133a2c3cce6e9 by Andre Heinecke.
Committed on 27/06/2016 at 13:07.
Pushed by aheinecke into branch 'master'.
Do not treat KEYEXPIRED as error
GnuPG doc/DETAILS already mentions that this status code
is of limited usefulness as it is emited as soon as one
subkey is expired. So this can't be used as an error indication.
Backport of GpgME Commit: 82d484c8
Merge: None. This needs rev. 3872dcaa to actually make the commands
M +0 -2 src/editinteractor.cpp
This will be fixed in Gpg4win-3.0.0 / The next beta we will release there. (Probably sometime in the next two weeks)
Betas are announced on gpg4win-devel mailing list and can be found under
Thanks for your help reporting this.
I'm still getting this behaviour in Kubuntu 16.04.