Hi,
I had my GPG key expire recently and after updating the expiry date I can no longer read my secring.gpg. Here's a test app I wrote
Which explodes like this:
$ go run secring.go
panic: openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: hash tag doesn't match
goroutine 1 [running]:
main.main()
/Users/james/Development/Projects/goplay/secring.go:25 +0x237
goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/usr/local/Cellar/go/1.4.2/libexec/src/runtime/asm_amd64.s:2232 +0x1
exit status 2
Exit 1
I can still use the cmdline gpg tools (encrypting and decrypting), so I'm thinking this is either something non-standard that GPG is using or a bug in the library?
I traced it back to here, but I don't know enough about OpenPGP.
A key's expiration time is associated with the key's self-signature. The expiration time is updated by deleting the old self-signature and adding a new self-signature. Since correspondents will not have deleted the old self-signature, they will see an additional self-signature on the key when they update their copy of your key. The latest self-signature takes precedence, however, so all correspondents will unambiguously know the expiration times of your keys.
Any ideas?
Thanks
James