Anthony Towns wrote: > Not directly afaik. If you say "Archive Signing Key (Date <= 2006-05-01)" > apt could parse that from gpgv's output and perform the check itself, or add > a "The key used to sign these packages expired on 2006-05-01; if you obtained > this media after that date, you may have a problem. Continue (y/n): " warning. > > I'm not sure off-hand what gpgv outputs in the case of an expired key; it might > be feasible to do the above already. root@dragon:/var/lib/apt/lists>date Fri Feb 10 02:55:26 EST 2006 It does show as expired in the key list: pub 1024D/4F368D5D 2005-01-31 [expired: 2006-01-31] uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org> And of course the first line is parsable if we needed to. root@dragon:/var/lib/apt/lists>gpgv --keyring /etc/apt/trusted.gpg ftp.debian.org_debian_dists_unstable_Release.gpg ftp.debian.org_debian_dists_unstable_Release gpgv: Signature made Mon Jan 9 16:06:49 2006 EST using DSA key ID 4F368D5D gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>" gpgv: Signature made Mon Jan 9 16:06:49 2006 EST using DSA key ID 2D230C5F gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" Nonzero exit; odd, it doesn't seem to notice that the key is expired at all. But apt won't use gpgv like that, I suppose, but instead like this: root@dragon:/var/lib/apt/lists>gpgv --status-fd 1 --keyring /etc/apt/trusted.gpg ftp.debian.org_debian_dists_unstable_Release.gpg ftp.debian.org_debian_dists_unstable_Release 2>/dev/null [GNUPG:] KEYEXPIRED 1138684904 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID ZKhvtcKyBPTP/uIh7HV7YuPjbTQ 2006-01-09 1136840809 [GNUPG:] EXPKEYSIG F1D53D8C4F368D5D Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org> [GNUPG:] VALIDSIG 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D 2006-01-09 1136840809 0 3 0 17 2 00 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D [GNUPG:] SIG_ID xXpzy5nnFmZ2vx2kRLfQ31tjC6Q 2006-01-09 1136840809 [GNUPG:] GOODSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> [GNUPG:] VALIDSIG 084750FC01A6D388A643D869010908312D230C5F 2006-01-09 1136840809 0 3 0 17 2 00 084750FC01A6D388A643D869010908312D230C5F d-i net-retreiver and debootstrap will currently accept the 2005 key signature above as good even though it's an EXPKEYSIG, since gpgv still says it's a VALIDSIG. I haven't checked apt. But that was a Release file signed before the key expired. What happens if it's signed using an expired key? Let's see: (Note that I created a key, distributed it to root, then moved forward till it expired and tried to sign with it, but gpg wouldn't let me so I edited my personal version of the key to not be expired..) joey@dragon:~>date Sat Feb 20 03:06:53 EST 2010 joey@dragon:~>gpg -u "test expire key" --sign passwd You need a passphrase to unlock the secret key for user: "test expire key" 1024-bit DSA key, ID 53FE1BE8, created 2006-02-20 root@dragon:/home/joey>gpg --list-keys 53FE1BE8 pub 1024D/53FE1BE8 2006-02-20 [expired: 2007-02-20] uid test expire key root@dragon:/home/joey>gpgv --status-fd 1 --keyring /root/.gnupg/pubring.gpg passwd.gpg gpgv: Signature made Sat Feb 20 03:02:46 2010 EST using DSA key ID 53FE1BE8 [GNUPG:] KEYEXPIRED 1171959238 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID 6FJsP/WgGaXPws8dsBchG+nohOw 2010-02-20 1266652966 [GNUPG:] EXPKEYSIG 81DD5AF853FE1BE8 test expire key gpgv: Good signature from "test expire key" [GNUPG:] VALIDSIG 9F2124E6216B3E74302F173C81DD5AF853FE1BE8 2010-02-20 1266652966 0 3 0 17 2 00 9F2124E6216B3E74302F173C81DD5AF853FE1BE8 Huh, exactly the same. If my experiements are right, then we can just: 1. Make apt accept EXPKEYSIG VALIDSIG as indicating a valid signature, if it doesn't already. 2. Sign and rotate archive signing keys as we do now. 3. Create a dedicated key for the stable release and sign the stable release with it. This key can be set to expire too, though it could have very different management procedures than the normal signing keys, so expiry might not be an issue. 4. If we need to update the stable release past the key expiry, locally de-expire it and sign the release with it; apt will accept the result. -- see shy jo
Attachment:
signature.asc
Description: Digital signature