From GnuPG's man page:
[...] the default key is the first key found in the secret keyring.
Are expired keys eligible default keys? Or should I manually set the default key in gpg.conf?
I'm asking this because I've read somewhere the expiration date in OpenPGP is more of a notification mechanism and can be changed even after a key has expired.
I'm asking this because I've read somewhere the expiration date in OpenPGP is more of a notification mechanism and can be changed even after a key has expired.
OpenPGP's expiry date is generally fine, but is no security feature (considering the primary key). I discussed the expiry date in depth in Does OpenPGP key expiration add to security?.
Are expired keys eligible default keys?
This can easily be tested by generating two keys, the first expiring next day, the other one without expiry date. faketime allows to travel into future without fiddling with your system time.
$ gpg -K
sec 1024R/644AC000 2016-07-09 [expires: 2016-07-10]
uid Foo Bar <foo@example.org>
sec 1024R/0457686A 2016-07-09
uid Batz Quix <batz@example.net>
Using the default key for signing, immediately after key creation:
$ echo foo | gpg --sign
You need a passphrase to unlock the secret key for
user: "Foo Bar <foo@example.org>"
1024-bit RSA key, ID 644AC000, created 2016-07-09
Now let's travel in time and see what happens the day after tomorrow:
$ echo foo | faketime '2 days' gpg --sign
You need a passphrase to unlock the secret key for
user: "Batz Quix <batz@example.net>"
1024-bit RSA key, ID 0457686A, created 2016-07-09
Or should I manually set the default key in
gpg.conf?
Just to be sure, I'd do so anyway: barely any effort, and better have GnuPG fail with an error message than doing "weird stuff" just because the system time was wrong or something like this. And as you're at it, use the full fingerprint -- especially short key IDs (as listed in the example output above) are insecure.
