Re: Questioning debian/upstream/signing-key.asc
On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
> I'm not all that familiar with the intended semantics of OpenPGP key
> expirations, but intuitively I think a signature made before the
> expiration should be considered valid, even if the key has now
> expired and thus shouldn't be used to make new signatures.
How would you know that the signature was made before the key expired?
Other systems (e.g. signed executables on Windows) have a trusted third
party sign the timestamp for that, but OpenPGP doesn't do so.