Re: Questioning debian/upstream/signing-key.asc
Ansgar <email@example.com> writes:
> On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
>> I'm not all that familiar with the intended semantics of OpenPGP key
>> expirations, but intuitively I think a signature made before the
>> expiration should be considered valid, even if the key has now expired
>> and thus shouldn't be used to make new signatures.
> How would you know that the signature was made before the key expired?
> Other systems (e.g. signed executables on Windows) have a trusted third
> party sign the timestamp for that, but OpenPGP doesn't do so.
That's a great question. I didn't think about that.
We do have a trusted timestamp for the point at which the upstream tarball
and signature were uploaded to the Debian archive, though, so if the key
had not yet expired at that point, I think we can infer it wasn't expired
when the signature was made.
Russ Allbery (firstname.lastname@example.org) <https://www.eyrie.org/~eagle/>