How to force gpg2 to use expired key?

$ gpg -ear XXXXXXX
gpg: XXXXXXXX: skipped: unusable public key

$ gpg --debug-ignore-expiration -ear XXXXXXXX
gpg: Invalid option "--debug-ignore-expiration"

How to encrypt? There are no updates for the key available from keyservers. Messages should be seen if user still has that expired key or not seen at all.

Is there some --just-do-that-I-want option that will allow to do this without of changing the source code of GPG?


Solution 1:

As @rob suggested in comments, libfaketime handles this well:

$ gpg  -v -v -v --batch --trust-model always -ear D5B9D38C <<< "qweqe"
gpg: using character set 'utf-8'
gpg: Note: signature key 077EA269D5B9D38C expired Sun 09 Nov 2014 12:57:25 PM +03
gpg: D5B9D38C: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key

$ faketime  '2012-12-24 08:15:42'  gpg  -v -v -v --batch --trust-model always -ear D5B9D38C <<< "qweqe"
gpg: using character set 'utf-8'
gpg: using subkey 85231B396B9569ED instead of primary key 077EA269D5B9D38C
gpg: No trust check due to '--trust-model always' option
gpg: reading from '[stdin]'
gpg: writing to stdout
gpg: RSA/AES256 encrypted for: "..."
-----BEGIN PGP MESSAGE-----
...

Old answer:

  1. Start UML (user mode linux)
  2. Set date inside UML to acceptable range.
  3. Encrypt message in UML

Solution 2:

Use the --faked-system-time option:

gpg2 --faked-system-time 20100101T000000 -e -r keyid

I would prefer an option that would force encryption to an expired key while also recording the correct time (especially when signing).

Solution 3:

Reset hardware and system clock:

sudo hwclock --set --date "12/31/2017 23:59:59" && \
sudo hwclock --hctosys && \
gpg --sign-with $keyid --clearsign --armor < $file

Afterwards (I hope you have NTP enabled) fix your hardware clock with:

sudo hwclock --systohc