Could not verify server key - expired subkey

Checklist
[x] I have read intro post
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

Hello,
my issue is almost the same as this one Could not verify server key - did the key expire?, but only subkey is expired:

/var/www/passbolt/config/gpg/serverkey.asc:
pub rsa2048 2016-05-18 [SC]
123456789012345ASDASDADF35354665776
uid foobar foobar@example.com
sub rsa2048 2016-05-18 [E] [expired: 2020-05-17]

my question is whether it’s necessary for all users to perform recovery procedure after removing expiration from subkey or if it can be done silently?

hi @molik,

You can first remove the expiration on the subkey on the server. The users will be able to login using the quick access but not the mail screen.

We have rollout a new version of the extension (2.12.3) which will not block the login when key is expired on the client side but not the server side, and allows update the server key without asking the clients to do a full recovery. Unfortunately the extension is still pending Google review on the Chrome Webstore. They seem to have issues with staffing to validate extension since crisis began…

ps. this is how the screen should look like for your users when you update the key:

Screenshot 2020-05-18 at 12.26.12

Thank you for quick answer, if I understand correctly the Firefox extension should be already capable of this since it’s version 2.12.3?

Yes, the new version is available for Firefox users. In order for the change to be triggered you must modify the expiry date in the server keyring and also place the new non expired key on file (in config/gpg) e.g. replace the original public key that is advertised by the server.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.