[Pkg-gnupg-maint] Bug#433091: Clone+Reassign to gpgv of #433091 apt-get: ignores expiry of archive keys
Goswin von Brederlow
goswin-v-b at web.de
Thu Sep 4 16:47:10 UTC 2008
Hi,
I just cloned and reassigned your bug about apt-get ignoring expired
keys. apt-get forks gpgv to do the actual verification and that gives
no indication of any expirey. So apt-get has no chance to detect and
warn about such an event.
mrvn at book:% sudo gpgv --keyring etc/apt/trusted.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
gpgv: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID
F583D700
gpgv: Good signature from "Tester (test key) <test at noreply.org>"
mrvn at book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
gpg: WARNING: unsafe ownership on configuration file
`/home/mrvn/.gnupg/gpg.conf'
gpg: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID
F583D700
gpg: Good signature from "Tester (test key) <test at noreply.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 317C B6A2 20E3 D9DF BE98 0264 1E34 EFC0 F583
D700
mrvn at book:/% echo $?
0
Note that gpg does not fail the signature just because it has expired,
even if the signature is made after the expirey date of the key. The
signature was made when the key was still valid s it gets accepted.
MfG
Goswin
More information about the Pkg-gnupg-maint
mailing list