Automatic Check of Expiration Date of GPG keys

Automatic Check of Certification Expiration Date

After Heartbleed I wrote a small python script to have an automatic check of certification expiration date. The script is hosted on Github.

GPG Keys

Next to SSL certificates there are also GPG keys that can (but do not have to) have an expiration date. If you manage a lot of (personal or shared) keys it can become difficult to keep track of expired or soon to be expired keys.

Check Expiration Date of GPG keys

So I wrote a similar python script to alert you on expired GPG keys.
The script is also hosted on Github. You can download the raw version at

Initially I thought of writing a script that looked up the expiration date of the keys on a keyserver. This didn’t work. A helpful message on the mailing list explained why :

GPG’s keyserver code is capable of displaying expiration date, if the keyserver provides it. Not all do.

Also note that (as also stated in the mailing list reply), you should not blindly trust the information received from the keyservers.

How does it work?

The script uses python-gnupg, which is nothing more than a python wrapper around GnuPG. In fact if you add verbose=True to the init of the GPG object you get the verbose output that is passed to the GPG binary via the python package.

gpg = gnupg.GPG(gnupghome=gpg_location, verbose=True)

It also needs access to the GPG keyring (that is defined in gpg_location). In order to not overwrite any of the keys you use during your daily work I suggest that you create a separate user (for example gpgtest). Additionally you can also use that user to launch the script via cron (see below).

Inline configuration

The script has a number of inline configuration options.

  • keys_to_check = “cedg.checks” : this is the most important one, it is a text file with the keyids you’d like to check
  • alert_days = 5 : how many days to take into account before alerting
  • mail_rcpt = “<>“ : the recipient of the mail alert
  • mail_from = “<>“ : the sender of the mail alert
  • mail_server = “” : the mail server to use
  • key_server = “” : the keyserver to download the GPG keys from
  • gpg_location = “/home/gpgtest/.gnupg” : the location of the keyring
  • delete_keys = True : delete keys upon startup
  • import_keys = True : import the keys from keyserver
  • simple_output = False : minimal reporting

How do I use it?

First step is to create a user gpgtest and run the script as this user.

Add the keyids you’d like to check to cedg.checks (or the file defined by keys_to_check) and set proper mail recipients, senders and mail server.

There are two ways you can use the script, manually importing the keys and then have them checked or automatically import them from a keyserver. Both have their pros and cons.

Manual checks

If you want to do checks on keys that you manually imported you have to disable deleting keys and doing the import.

delete_keys = False
import_keys = False

The disadvantage is that you have to do key management manually. The advantage is that you can verify them and make sure you are using the proper keys. More trust, less user friendly.

Automatic checks

Alternatively you can always import the key that is available on the keyserver. It is advisable to delete all keys before starting so you always have a fresh set of keys.

delete_keys = True
import_keys = True

The disadvantage is that with this method you trust that the keyserver provided information is correct. The advantage is that you do not have to be concerned about manually importing keys.


Ideally you run this script from cron. For the example below, make sure that the user gpgtest is allowed to run cron jobs (cron.allow)

30 12   * * *   gpgtest    /home/gpgtest/tools/  > /dev/null 2>&1

Example report

This is how an (extended) report looks like

Start with deleting keys
 Delete key ( 4A201BD879E4184E ) [u'US-CERT Security Operations Center <>'] 
 Delete key ( 06AD6EABE96C965B ) [u'US-CERT Information <>'] 
 Delete key ( 7767844F108B7661 ) [u'US-CERT Publications Key <>'] 
 Delete key ( 623F0B8353977C01 ) [u' <>'] 
Key deletion finished

Importing keys
Process key 0x79E4184E :  Imported
Process key 0xE96C965B :  Imported
Process key 0x108B7661 :  Imported
Process key 0x53977C01 :  Imported

Parsing keys
 Key ( 4A201BD879E4184E ) [u'US-CERT Security Operations Center <>'] expires in 147 days (2014-09-30 19:19:34) 
 ** Key ( 06AD6EABE96C965B ) [u'US-CERT Information <>'] has EXPIRED (2013-09-30 21:55:24) **
 ** Key ( 7767844F108B7661 ) [u'US-CERT Publications Key <>'] has EXPIRED (2013-09-30 20:16:51) **
 No expiration date ( 623F0B8353977C01 ) [u' <>'] 

Leave a Reply

Your email address will not be published. Required fields are marked *