Automatic Check of Certification Expiration Date
Next to SSL certificates there are also GPG keys that can (but do not have to) have an expiration date. If you manage a lot of (personal or shared) keys it can become difficult to keep track of expired or soon to be expired keys.
Check Expiration Date of GPG keys
So I wrote a similar python script to alert you on expired GPG keys.
The script is also hosted on Github. You can download the raw version at https://github.com/cudeso/tools/blob/master/cedg.py.
Initially I thought of writing a script that looked up the expiration date of the keys on a keyserver. This didn’t work. A helpful message on the mailing list explained why :
GPG’s keyserver code is capable of displaying expiration date, if the keyserver provides it. Not all do.
Also note that (as also stated in the mailing list reply), you should not blindly trust the information received from the keyservers.
How does it work?
The script uses python-gnupg, which is nothing more than a python wrapper around GnuPG. In fact if you add verbose=True to the init of the GPG object you get the verbose output that is passed to the GPG binary via the python package.
gpg = gnupg.GPG(gnupghome=gpg_location, verbose=True)
It also needs access to the GPG keyring (that is defined in gpg_location). In order to not overwrite any of the keys you use during your daily work I suggest that you create a separate user (for example gpgtest). Additionally you can also use that user to launch the script via cron (see below).
The script has a number of inline configuration options.
- keys_to_check = “cedg.checks” : this is the most important one, it is a text file with the keyids you’d like to check
- alert_days = 5 : how many days to take into account before alerting
- mail_rcpt = “<>“ : the recipient of the mail alert
- mail_from = “<>“ : the sender of the mail alert
- mail_server = “127.0.0.1” : the mail server to use
- key_server = “keyserver.ubuntu.com” : the keyserver to download the GPG keys from
- gpg_location = “/home/gpgtest/.gnupg” : the location of the keyring
- delete_keys = True : delete keys upon startup
- import_keys = True : import the keys from keyserver
- simple_output = False : minimal reporting
How do I use it?
First step is to create a user gpgtest and run the script as this user.
Add the keyids you’d like to check to cedg.checks (or the file defined by keys_to_check) and set proper mail recipients, senders and mail server.
There are two ways you can use the script, manually importing the keys and then have them checked or automatically import them from a keyserver. Both have their pros and cons.
If you want to do checks on keys that you manually imported you have to disable deleting keys and doing the import.
delete_keys = False import_keys = False
The disadvantage is that you have to do key management manually. The advantage is that you can verify them and make sure you are using the proper keys. More trust, less user friendly.
Alternatively you can always import the key that is available on the keyserver. It is advisable to delete all keys before starting so you always have a fresh set of keys.
delete_keys = True import_keys = True
The disadvantage is that with this method you trust that the keyserver provided information is correct. The advantage is that you do not have to be concerned about manually importing keys.
Ideally you run this script from cron. For the example below, make sure that the user gpgtest is allowed to run cron jobs (cron.allow)
30 12 * * * gpgtest /home/gpgtest/tools/cedg.py > /dev/null 2>&1
This is how an (extended) report looks like
Start with deleting keys Delete key ( 4A201BD879E4184E ) [u'US-CERT Security Operations Center <email@example.com>'] Delete key ( 06AD6EABE96C965B ) [u'US-CERT Information <firstname.lastname@example.org>'] Delete key ( 7767844F108B7661 ) [u'US-CERT Publications Key <email@example.com>'] Delete key ( 623F0B8353977C01 ) [u'CERT.be <firstname.lastname@example.org>'] Key deletion finished Importing keys Process key 0x79E4184E : Imported Process key 0xE96C965B : Imported Process key 0x108B7661 : Imported Process key 0x53977C01 : Imported Parsing keys Key ( 4A201BD879E4184E ) [u'US-CERT Security Operations Center <email@example.com>'] expires in 147 days (2014-09-30 19:19:34) ** Key ( 06AD6EABE96C965B ) [u'US-CERT Information <firstname.lastname@example.org>'] has EXPIRED (2013-09-30 21:55:24) ** ** Key ( 7767844F108B7661 ) [u'US-CERT Publications Key <email@example.com>'] has EXPIRED (2013-09-30 20:16:51) ** No expiration date ( 623F0B8353977C01 ) [u'CERT.be <firstname.lastname@example.org>']