[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questioning debian/upstream/signing-key.asc



* Russ Allbery <rra@debian.org> [2021-03-26 13:01]:
If this were the case, it would be fine to re-sign *.dsc files, but there
has been quite a lot of opposition to that in the past.  The upstream
signing key is at least as useful as the signature on the *.dsc file, for
exactly the same reasons.
I do not understand this, but I am probably too new with Debian. Can you
point me to a discussion about this?

Key expiration, at least in my understanding, says that signatures made by
that key are valid up until the point that the key has expired, but not
after that point.  It cannot protect against key compromise prior to the
expiration date.  That's what a revocation is for.
You're right, I did conflate those two concepts too much. Let me try and
rephrase. What I meant to convey was: there is no way to know when a
signature was created except trusting what the signature itself says,
because anyone who has control over the key can forge any date. That's
fine, because in this context, the actual date of the signature doesn't
really matter: the signature is meant to prevent an attacker from
tampering with the source code, not to prove when exactly the release
happened.

Thus, there is no reason to stop trusting the signature after the
key has expired, unless you assume that someone could have replaced the
original source and forged a backdated signature, i.e. the key was
compromised.

I am making more sense now?

- Timo

Attachment: signature.asc
Description: PGP signature


Reply to: