Monitoring Expiry of GPG Keys

I’ve been using a small script to monitor when my PGP master and subkeys expire for a while now. You just supply it with an email address which can be used to locate the private key in your GnuPG keyring, and the number of days before expiry you want to start being alerted. It prints out nothing unless your key is within that expiry period range. You may find it useful:

#!/usr/bin/env perl
use strict;
use warnings;
use POSIX qw( mktime );

my $today = mktime(0,0,12,(localtime())[3..5]);

my @email   = grep( !/^\d+$/, @ARGV );
my( $days ) = grep( /^\d+$/,  @ARGV );

my %done = ();
foreach my $email (@email) {
  foreach my $line (split(/\r?\n/,`gpg --list-sigs $email 2>/dev/null`)) {
    next unless $line =~ /^([sp]ub) .+ \S+\/(\S+) \S+ \[expire[ds]: (\d+)-(\d+)-(\d+)\]$/;
    my( $type, $id, $expires ) = ( $1, $2, mktime(0,0,12,$5,$4-1,$3-1900) );

    next if exists $done{$id};
    $done{$id}=1;

    my $remaining = int(($expires - $today)/86400);
    if (!defined $days || $remaining <= $days) {
      print "PGP ${type}key $id expires in $remaining days ($email)\n";
    }
  }
}

My cron job runs daily and warns me when I’m within a week of expiry:

5 5 * * *   check_gpg_expiry.pl 7 mike.cardwell@example.com

Print Share Comment Cite Upload Translate

APA

() » Monitoring Expiry of GPG Keys. Retrieved from https://www.truth.cx/2017/07/28/monitoring-expiry-of-gpg-keys/.

MLA

" » Monitoring Expiry of GPG Keys." - , https://www.truth.cx/2017/07/28/monitoring-expiry-of-gpg-keys/

HARVARD

» Monitoring Expiry of GPG Keys., viewed ,

VANCOUVER

- » Monitoring Expiry of GPG Keys. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2017/07/28/monitoring-expiry-of-gpg-keys/

CHICAGO

" » Monitoring Expiry of GPG Keys." - Accessed . https://www.truth.cx/2017/07/28/monitoring-expiry-of-gpg-keys/

IEEE

" » Monitoring Expiry of GPG Keys." [Online]. Available: https://www.truth.cx/2017/07/28/monitoring-expiry-of-gpg-keys/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p><span contenteditable="true">I’ve been using a small script to monitor when my PGP master and subkeys expire for a while now. You just supply it with an email address which can be used to locate the private key in your <a href="https://gnupg.org/">GnuPG</a> keyring, and the number of days before expiry you want to start being alerted. It prints out nothing unless your key is within that expiry period range. You may find it useful:</span></p> <pre><code class="lang-perl"><span class="hljs-comment">#!/usr/bin/env perl</span> <span class="hljs-keyword">use</span> strict; <span class="hljs-keyword">use</span> warnings; <span class="hljs-keyword">use</span> POSIX <span class="hljs-string">qw( mktime )</span>; <span class="hljs-keyword">my</span> $today = mktime(<span class="hljs-number">0</span>,<span class="hljs-number">0</span>,<span class="hljs-number">12</span>,(<span class="hljs-keyword">localtime</span>())[<span class="hljs-number">3</span>..<span class="hljs-number">5</span>]); <span class="hljs-keyword">my</span> @email = <span class="hljs-keyword">grep</span>( !<span class="hljs-regexp">/^\d+$/</span>, @ARGV ); <span class="hljs-keyword">my</span>( $days ) = <span class="hljs-keyword">grep</span>( <span class="hljs-regexp">/^\d+$/</span>, @ARGV ); <span class="hljs-keyword">my</span> %done = (); <span class="hljs-keyword">foreach</span> <span class="hljs-keyword">my</span> $email (@email) { <span class="hljs-keyword">foreach</span> <span class="hljs-keyword">my</span> $line (<span class="hljs-keyword">split</span>(<span class="hljs-regexp">/\r?\n/</span>,<span class="hljs-string">`gpg --list-sigs $email 2>/dev/null`</span>)) { <span class="hljs-keyword">next</span> <span class="hljs-keyword">unless</span> $line =~ <span class="hljs-regexp">/^([sp]ub) .+ \S+\/(\S+) \S+ \[expire[ds]: (\d+)-(\d+)-(\d+)\]$/</span>; <span class="hljs-keyword">my</span>( $type, $id, $expires ) = ( $1, $2, mktime(<span class="hljs-number">0</span>,<span class="hljs-number">0</span>,<span class="hljs-number">12</span>,$5,$4-<span class="hljs-number">1</span>,$3-<span class="hljs-number">1900</span>) ); <span class="hljs-keyword">next</span> <span class="hljs-keyword">if</span> <span class="hljs-keyword">exists</span> $done{$id}; $done{$id}=<span class="hljs-number">1</span>; <span class="hljs-keyword">my</span> $remaining = <span class="hljs-keyword">int</span>(($expires - $today)/<span class="hljs-number">86400</span>); <span class="hljs-keyword">if</span> (!<span class="hljs-keyword">defined</span> $days || $remaining <= $days) { <span class="hljs-keyword">print</span> <span class="hljs-string">"PGP <span class="hljs-subst">${type}</span>key $id expires in $remaining days ($email)\n"</span>; } } } </code></pre> <p>My cron job runs daily and warns me when I’m within a week of expiry:</p> <pre><code class="lang-cron"><span class="hljs-symbol">5 </span><span class="hljs-number">5</span> * * * check_gpg_expiry.pl <span class="hljs-number">7</span> mike.cardwell@example.<span class="hljs-keyword">com</span> </code></pre> <p><a href="https://www.grepular.com/redir?key=amazon_pgp_and_gpg" title="PGP & GPG: Email for the Practical Paranoid"><img src="https://www.grepular.com/images/amazon/pgp_and_gpg.jpg" alt=""></a></p> First name:

Last name: