Web lists-archives.com

Re: Expired GPG keys of older release




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 22, 2018 at 02:39:52PM -0400, James Cloos wrote:
> >>>>> "T" == <tomas@xxxxxxxxxx> writes:
> 
> T> And just extending the keys' validity (as someone proposed in this
> T> thread) seems a bad idea too, since the requirement for secure keys
> T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
> 
> The problem is that the point of a key's expiration time is that
> signatures newer than that should fail, but all signatures made before
> the expiration should verify.

Makes sense...

> So, if apt's signature verification only looks at the key's expiration
> date and not at the signature's timestamp, that is a bug.

Hm. But a stern warning (along the lines "this signature isn't as secure
as it used to be") seems in order, no?

For the current case, what's needed most is some kind of workaround, since
an old apt can't be fixed retroactively, though.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlstSjMACgkQBcgs9XrR2kbbawCePl226Au0nqDGjo7qEUD62cTV
QzIAnRbBCpIyFXPsR4JC9H7VtI99moyA
=UFsZ
-----END PGP SIGNATURE-----