[Pkg-gnupg-maint] Bug#497825: Bug#497825: Clone+Reassign to gpgv of #433091 apt-get: ignores expiry of archive keys

Thijs Kinkhorst thijs at debian.org
Sat May 23 10:55:41 UTC 2009


Hi Peter,

Sorry for not getting back to this earlier.

On moandei 6 April 2009, Peter Palfrader wrote:
> > mrvn at book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify
> > var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg
> > var/lib/apt/lists/localhost_debian_dists_sid_Release gpg: WARNING: unsafe
> > ownership on configuration file
> > `/home/mrvn/.gnupg/gpg.conf'
> > gpg: Signature made Tue Sep  2 18:08:46 2008 CEST using RSA key ID
> > F583D700
> > gpg: Good signature from "Tester (test key) <test at noreply.org>"
> > gpg: Note: This key has expired!
> > Primary key fingerprint: 317C B6A2 20E3 D9DF BE98  0264 1E34 EFC0 F583
> > D700
> > mrvn at book:/% echo $?
> > 0
> >
> > Note that gpg does not fail the signature just because it has expired,
> > even if the signature is made after the expirey date of the key. The
> > signature was made when the key was still valid s it gets accepted.
>
> I don't think that's correct.
>
> | weasel at intrepid:~/tmp/g$ gpgv --keyring ./pubring.gpg  Release.gpg
> | Release gpgv: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key
> | ID BD2B0EE0 gpgv: Good signature from "db.debian.org archive key 2008"
> | weasel at intrepid:~/tmp/g$ echo $?
> | 0
> |
> | weasel at intrepid:~/tmp/g$ gpg --status-fd=2 --verify Release.gpg Release
> | gpg: WARNING: unsafe permissions on homedir `.'
> | gpg: Signature made Mon Apr  6 01:42:33 2009 CEST using DSA key ID
> | BD2B0EE0
> | [GNUPG:] KEYEXPIRED 1238972541
> | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
> | [GNUPG:] SIG_ID ku+8oeaPmKjRxDvpydIDp9yPiss 2009-04-05 1238974953
> | [GNUPG:] EXPKEYSIG BEA7CF10BD2B0EE0 db.debian.org archive key 2008
> | gpg: Good signature from "db.debian.org archive key 2008"
> | [GNUPG:] VALIDSIG 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0 2009-04-05
> | 1238974953 0 4 0 17 2 00 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0
> | gpg: Note: This key has expired!
> | Primary key fingerprint: 41A8 A518 BF62 8775 13FE  798F BEA7 CF10 BD2B
> | 0EE0
>
> No GOODSIG.
>
> So gpgv considers a signature valid that gpg doesn't.  That in itself
> should be a grave bug.

Perhaps I misunderstood your mail, but in my experiment both gpgv and gpg 
return the same result. The difference with your example above is, that I 
used --status-fd=2 for gpgv too, because that makes the output of both 
comparable.

thijs at escher:~/pgptest$ LANG=C gpgv --status-fd=2 --keyring 
~/.gnupg/pubring.gpg WWCW_Spookslot_hoofdshow_huidig.mp3.asc 
WWCW_Spookslot_hoofdshow_huidig.mp3
gpgv: Signature made Mon Sep  1 12:06:50 2008 CEST using DSA key ID 87971F20
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID VpH33if9gHtp0otZjARb9/EZpfk 2008-09-01 1220263610
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG CF2B18B987971F20 Test Key (Do Not Use) <test at example.com>
gpgv: Good signature from "Test Key (Do Not Use) <test at example.com>"
[GNUPG:] VALIDSIG 74B4CC126021C2935D595999CF2B18B987971F20 2008-09-01 
1220263610 0 4 0 17 2 00 74B4CC126021C2935D595999CF2B18B987971F20

thijs at escher:~/pgptest$ LANG=C  gpg --status-fd=2 --verify 
WWCW_Spookslot_hoofdshow_huidig.mp3.asc WWCW_Spookslot_hoofdshow_huidig.mp3
gpg: Signature made Mon Sep  1 12:06:50 2008 CEST using DSA key ID 87971F20
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID VpH33if9gHtp0otZjARb9/EZpfk 2008-09-01 1220263610
[GNUPG:] KEYEXPIRED 1220868029
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG CF2B18B987971F20 Test Key (Do Not Use) <test at example.com>
gpg: Good signature from "Test Key (Do Not Use) <test at example.com>"
[GNUPG:] VALIDSIG 74B4CC126021C2935D595999CF2B18B987971F20 2008-09-01 
1220263610 0 4 0 17 2 00 74B4CC126021C2935D595999CF2B18B987971F20
gpg: Note: This key has expired!
Primary key fingerprint: 74B4 CC12 6021 C293 5D59  5999 CF2B 18B9 8797 1F20

They both do not output a GOODSIG, so I'm inclined to think that this is the 
expected behaviour: both do not think the signature is ok. If you disagree, 
can you clarify what it is that gpgv should change?


thanks,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20090523/842f65db/attachment.pgp>


More information about the Pkg-gnupg-maint mailing list