[Pkg-gnupg-maint] Bug#497825: Clone+Reassign to gpgv of #433091 apt-get: ignores expiry of archive keys

Peter Palfrader weasel at debian.org
Mon Apr 6 00:26:35 UTC 2009


Goswin von Brederlow schrieb am Donnerstag, dem 04. September 2008:

> mrvn at book:% sudo gpgv --keyring etc/apt/trusted.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
> gpgv: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
> F583D700
> gpgv: Good signature from "Tester (test key) <test at noreply.org>"

Stop abusing my domain name.  example.{com,org,net} is what you were
looking for.

> mrvn at book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release
> gpg: WARNING: unsafe ownership on configuration file
> `/home/mrvn/.gnupg/gpg.conf'
> gpg: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
> F583D700
> gpg: Good signature from "Tester (test key) <test at noreply.org>"
> gpg: Note: This key has expired!
> Primary key fingerprint: 317C B6A2 20E3 D9DF BE98  0264 1E34 EFC0 F583
> D700
> mrvn at book:/% echo $?
> 0
> 
> Note that gpg does not fail the signature just because it has expired,
> even if the signature is made after the expirey date of the key. The
> signature was made when the key was still valid s it gets accepted.

I don't think that's correct.

| weasel at intrepid:~/tmp/g$ gpgv --keyring ./pubring.gpg  Release.gpg Release
| gpgv: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key ID BD2B0EE0
| gpgv: Good signature from "db.debian.org archive key 2008"
| weasel at intrepid:~/tmp/g$ echo $?
| 0

| weasel at intrepid:~/tmp/g$ gpg --status-fd=2 --verify Release.gpg Release
| gpg: WARNING: unsafe permissions on homedir `.'
| gpg: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key ID
| BD2B0EE0
| [GNUPG:] KEYEXPIRED 1238972541
| [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
| [GNUPG:] SIG_ID ku+8oeaPmKjRxDvpydIDp9yPiss 2009-04-05 1238974953
| [GNUPG:] EXPKEYSIG BEA7CF10BD2B0EE0 db.debian.org archive key 2008
| gpg: Good signature from "db.debian.org archive key 2008"
| [GNUPG:] VALIDSIG 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0 2009-04-05
| 1238974953 0 4 0 17 2 00 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0
| gpg: Note: This key has expired!
| Primary key fingerprint: 41A8 A518 BF62 8775 13FE  798F BEA7 CF10 BD2B 0EE0

No GOODSIG.

So gpgv considers a signature valid that gpg doesn't.  That in itself
should be a grave bug.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/





More information about the Pkg-gnupg-maint mailing list