[Pkg-gnupg-maint] Bug#497825: gnupg: ignores expiry of archive keys

Peter Palfrader weasel at debian.org
Thu Jun 17 18:12:52 UTC 2010


reopen 497825
thanks

Daniel Leidert schrieb am Donnerstag, dem 17. Juni 2010:

> This report misses the requested information for more than a year. We
> are still not able to reproduce a difference in the behavior gpgv and
> gpg.

| weasel at intrepid:~/tmp$ wget -nv http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/dists/etch/volatile/Release{.gpg,}
| 2010-06-17 20:09:56 URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/dists/etch/volatile/Release.gpg [189/189] -> "Release.gpg" [1]
| 2010-06-17 20:09:57 URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/dists/etch/volatile/Release [40688/40688] -> "Release" [1]
| FINISHED --2010-06-17 20:09:57--
| Downloaded: 2 files, 40K in 0s (76139 GB/s)
| weasel at intrepid:~/tmp$ mkdir gnupghome
| weasel at intrepid:~/tmp$ export GNUPGHOME=gnupghome
| weasel at intrepid:~/tmp$ chmod go-rwx gnupghome
| weasel at intrepid:~/tmp$ gpg
| gpg: keyring `gnupghome/secring.gpg' created
| gpg: keyring `gnupghome/pubring.gpg' created
| gpg: Go ahead and type your message ...
| ^C
| gpg: Interrupt caught ... exiting
| 
| weasel at intrepid:~/tmp$ gpg --keyserver keys.gnupg.net --recv BBE55AB3
| gpg: requesting key BBE55AB3 from hkp server keys.gnupg.net
| gpg: gnupghome/trustdb.gpg: trustdb created
| gpg: key BBE55AB3: public key "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" imported
| gpg: no ultimately trusted keys found
| gpg: Total number processed: 1
| gpg:               imported: 1
| weasel at intrepid:~/tmp$ 
| weasel at intrepid:~/tmp$ gpg --list-key BBE55AB3
| pub   1024D/BBE55AB3 2007-03-31 [expired: 2010-03-30]
| uid                  Debian-Volatile Archive Automatic Signing Key (4.0/etch)
| 
| weasel at intrepid:~/tmp$ cp gnupghome/pubring.gpg gnupghome/trustedkeys.gpg 
| weasel at intrepid:~/tmp$ 
| weasel at intrepid:~/tmp$ 
| weasel at intrepid:~/tmp$ gpg --status-fd 2 --verify Release.gpg Release
| gpg: Signature made Thu Sep  3 03:35:17 2009 CEST using DSA key ID BBE55AB3
| [GNUPG:] KEYEXPIRED 1269969909
| [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
| [GNUPG:] KEYEXPIRED 1269969909
| [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
| [GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717
| [GNUPG:] KEYEXPIRED 1269969909
| [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
| [GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic Signing Key (4.0/etch)
| gpg: Good signature from "Debian-Volatile Archive Automatic Signing Key (4.0/etch)"
| [GNUPG:] VALIDSIG 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 1251941717 0 3 0 17 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3
| gpg: Note: This key has expired!
| Primary key fingerprint: 6039 406A 4EDC E124 CF08  7B0A EC61 E0B0 BBE5 5AB3

no GOODSIG -> signature is not valid.


| weasel at intrepid:~/tmp$ gpgv Release.gpg Release
| gpgv: Signature made Thu Sep  3 03:35:17 2009 CEST using DSA key ID BBE55AB3
| gpgv: Good signature from "Debian-Volatile Archive Automatic Signing Key (4.0/etch)"
| weasel at intrepid:~/tmp$ echo $?
| 0

exit code 0 -> signature is valid.


At the risk of repeating myself, this means that gpg and gpgv disagree on what
is a valid signature.

This is gnupg and gpgv both at version 1.4.10-2~bpo50+1.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/





More information about the Pkg-gnupg-maint mailing list