GnuPG is a powerful cryptographic tool that enjoys widespread support by F/LOSS mail user agents. However, due to a lack of conventional public key management it is plagued by key-related issues. One such issue is the expiry of GnuPG keys, which often goes unnoticed by affected messaging partners until such time when it actually disturbs messaging between them.
The way user agents handle key expiry situations can roughly be described as follows:
(i) If the GnuPG key of a sender of a message is expired, user agents can not regard it as valid, and the attempt to sign the message using the sender’s key will fail. Once the GnuPG key of a user has expired the user will realize this situation without an external alerting mechanism only when trying to sign a message.
(ii) If the GnuPG key of an intended recipient of a message is expired, user agents can not regard it as valid; the attempt to encrypt a message using an expired key of a recipient will fail. Also, the sending of an encrypted message to multiple recipients, where a subset of the recipients feature expired public keys, can be blocked. Other users will realize this situation once they try to send an encrypted message to the user in question.
In the proposed setup specific GnuPG keys (specified using a list of key IDs) stored in ~/.gnupg are scanned periodically. The scan is repeated daily, at 11 A.M. local time (which can be changed to whatever systemd timers support). The tolerated remaining validity will be set to „more than 30 days“ (this, too, can easily be set to a different value).