Re: Questioning debian/upstream/signing-key.asc

To: debian-devel@lists.debian.org
Subject: Re: Questioning debian/upstream/signing-key.asc
From: Ansgar <ansgar@43-1.org>
Date: Fri, 26 Mar 2021 17:31:16 +0100
Message-id: <[🔎] 498a8e4699f7cab925bcf1f8f552f605dcb68185.camel@43-1.org>
In-reply-to: <[🔎] 871rc1lx14.fsf@hope.eyrie.org>
References: <[🔎] 1616749579@msgid.manchmal.in-ulm.de> <[🔎] 871rc1lx14.fsf@hope.eyrie.org>

On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
> I'm not all that familiar with the intended semantics of OpenPGP key
> expirations, but intuitively I think a signature made before the
> expiration should be considered valid, even if the key has now
> expired and thus shouldn't be used to make new signatures.

How would you know that the signature was made before the key expired?

Other systems (e.g. signed executables on Windows) have a trusted third
party sign the timestamp for that, but OpenPGP doesn't do so.

Ansgar

Reply to:

Follow-Ups:
- Re: Questioning debian/upstream/signing-key.asc
  - From: Russ Allbery <rra@debian.org>

References:
- Questioning debian/upstream/signing-key.asc
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: Questioning debian/upstream/signing-key.asc
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: I'm orphan my packages and leave the project as maintainer
Next by Date: Re: Questioning debian/upstream/signing-key.asc
Previous by thread: Re: Questioning debian/upstream/signing-key.asc
Next by thread: Re: Questioning debian/upstream/signing-key.asc
Index(es):
- Date
- Thread