Re: Expired GPG keys of older release
- Date: Wed, 20 Jun 2018 10:37:19 -0700
- From: Don Armstrong <don@xxxxxxxxxx>
- Subject: Re: Expired GPG keys of older release
On Tue, 19 Jun 2018, Adam Cecile wrote:
> On 06/19/2018 10:48 PM, Don Armstrong wrote:
> > On Tue, 19 Jun 2018, Adam Cecile wrote:
> > > That's a pity, don't you think so ? I think Debian should renew the
> > > archive key, so we can still verify packages signatures.
> > You can still verify them. Key expiration doesn't make existing
> > signatures invalid. [Indeed, gpgv doesn't even check for expired keys.]
> With apt ? I had to set allowunauthenticated = 1 in apt.conf, otherwise apt
> wouldn't install anything.
Hrm; it looks like apt has its own internal version of gpgv which
actually tests the time.
In theory, [allow-weak=yes] should work, but I haven't actually tested
Don Armstrong https://www.donarmstrong.com
You are educated when you have the ability to listen to almost
anything without losing your temper or self-confidence.
-- Robert Frost