Re: Expired GPG keys of older release
- Date: Fri, 22 Jun 2018 21:12:51 +0200
- From: <tomas@xxxxxxxxxx>
- Subject: Re: Expired GPG keys of older release
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, Jun 22, 2018 at 02:39:52PM -0400, James Cloos wrote:
> >>>>> "T" == <tomas@xxxxxxxxxx> writes:
> T> And just extending the keys' validity (as someone proposed in this
> T> thread) seems a bad idea too, since the requirement for secure keys
> T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
> The problem is that the point of a key's expiration time is that
> signatures newer than that should fail, but all signatures made before
> the expiration should verify.
> So, if apt's signature verification only looks at the key's expiration
> date and not at the signature's timestamp, that is a bug.
Hm. But a stern warning (along the lines "this signature isn't as secure
as it used to be") seems in order, no?
For the current case, what's needed most is some kind of workaround, since
an old apt can't be fixed retroactively, though.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----