Skip to content

How to Fix an Expired GPG Key

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Fix an Expired GPG Key. We cover key concepts, practical examples, and best practices.

The Problem

Your GPG key has expired and you cannot sign commits, decrypt files, or verify signatures. The error message says gpg: key ABC12345: secret key without public key or gpg: WARNING: key ABC12345 has expired. An expired key does not break existing encrypted data but prevents new operations.

Quick Fix

Step 1: Check Key Expiry

gpg --list-keys --keyid-format=long
# pub   rsa4096/ABC12345 2022-06-24 [expired: 2025-06-24]
# uid         [ expired] Your Name <you@example.com>

Step 2: Edit the Key to Extend Expiry

WRONG — generating a new key (loses existing signatures and trust):

gpg --full-generate-key
# (creates a new key, but all existing encrypted files need re-encryption)

RIGHT — extend the existing key:

gpg --edit-key ABC12345

At the gpg> prompt:

gpg> expire
# Key is valid for? (0)
# Enter 1y for one year from now, or 0 for no expiry
gpg> 1y
# Key expires at Thu Jun 24 12:00:00 2027 UTC
# Is this correct? (y/N) y
gpg> save

Step 3: Verify the Updated Expiry

gpg --list-keys --keyid-format=long you@example.com
# pub   rsa4096/ABC12345 2022-06-24 [expires: 2027-06-24]
# uid         [  ultimate ] Your Name <you@example.com>

Step 4: Export and Upload the Updated Key

gpg --armor --export ABC12345 > updated-public-key.asc
gpg --keyserver keyserver.ubuntu.com --send-keys ABC12345
# gpg: sending key ABC12345 to hkp://keyserver.ubuntu.com

Step 5: Import on Other Machines

gpg --import updated-public-key.asc
# gpg: key ABC12345: "Your Name <you@example.com>" not changed
# gpg: Total number processed: 1

If the key is still shown as expired, the local copy has old expiry data. Refresh from the keyserver:

gpg --refresh-keys
# gpg: refreshing 1 keys from hkp://keyserver.ubuntu.com
# gpg: key ABC12345: "Your Name <you@example.com>" not changed

DodaTech's Key Manager integrates with GPG to monitor key expiry and automate renewal workflows across your team.

Prevention

  • Set keys to expire within 1-2 years, not "never."
  • Create a calendar reminder 30 days before expiry.
  • Maintain a revocation certificate for emergency key replacement.
  • Upload updated keys immediately after extending expiry.
  • Store the expiry extension command in your runbook.

Common Mistakes with key expired

  1. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  2. Using return to exit a function early instead of wrapping a pure value in the monad
  3. Mixing let bindings with <- bindings in do notation, producing type errors

These mistakes appear frequently in real-world GPG code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Can I use an expired key to decrypt old files?

Yes, encrypted data is not affected by key expiry. The expiry only prevents new signing and encryption operations. You can always decrypt files that were encrypted before the key expired. Extending the expiry restores full functionality.

What happens to Git commits signed with an expired key?

Commits remain valid and show as "Good signature" with a warning about the expired key. Git does not retroactively invalidate signatures. To avoid warnings, extend the key expiry before it expires.

How do I extend expiry without the private key?

You cannot. Extending key expiry requires the private key passphrase. If the private key is lost, generate a new key pair and have others sign your new key to rebuild trust.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro