Axel Beckert wrote...
> That might be something for lintian-brush once a lintian check is
> there. Cc'ing Jelmer, the author of lintian-brush.
What's the status of that story? I hacked a few lines together that work at
least for the case where I encountered the problem. But it's fairly
fragile since parsing in a textual output is bad. It was way better to
*omit* --list-packets in the gpg invocation since then the output is by
definition machine-readable (and there is an "Expired!" alert on stderr
for free). Also upstream warns the output of --list-packets "may change
with new releases."
Christoph
--- /usr/share/lintian/checks/debian/upstream/signing-key.pm
+++ /usr/share/lintian/checks/debian/upstream/signing-key.pm
@@ -122,15 +122,20 @@
# look for third-party signatures
my @thirdparty;
+ my $expired;
for my $packet (@packets) {
my $header = $packet->[0];
+ my $body = $packet->[1];
if ($header =~ qr/^:signature packet: algo \d+, keyid (\S*)$/){
my $signatory = $1;
push(@thirdparty, $signatory)
unless $signatory eq $keyid;
}
+ if ($body =~ qr/ expires 0/) {
+ $expired = 1;
+ }
}
# signatures by parties other than self
@@ -141,6 +146,9 @@
$key_name,
"has $extrasignatures extra signature(s) for keyid $keyid")
if $extrasignatures;
+ $self->hint('public-upstream-key-expired',
+ $key_name,'has expired keys')
+ if $expired;
}
}
Tag: public-upstream-key-expired Severity: info Check: debian/upstream/signing-key See-Also: uscan(1) Explanation: The source package contains a public upstream signing key that contains at least one key that has expired. . Please obtain the correct key from upstream.
Attachment:
signature.asc
Description: PGP signature