Re: Expired GPG keys of older release

[Adam Cecile <adam.cecile@hitec.lu>]

Oh nice, i'll check tomorrow or on Friday, thanks for this suggestion. Could help a lot with third parties repo using weak timestamp also.

On June 20, 2018 7:37:19 PM GMT+02:00, Don Armstrong <don@debian.org> wrote:

On Tue, 19 Jun 2018, Adam Cecile wrote:
 On 06/19/2018 10:48 PM, Don Armstrong wrote:
 On Tue, 19 Jun 2018, Adam Cecile wrote:
 That's a pity, don't you think so ? I think Debian should renew the
 archive key, so we can still verify packages signatures.
 You can still verify them. Key expiration doesn't make existing
 signatures invalid. [Indeed, gpgv doesn't even check for expired keys.]
 
 With apt ? I had to set allowunauthenticated = 1 in apt.conf, otherwise apt
 wouldn't install anything.

Hrm; it looks like apt has its own internal version of gpgv which
actually tests the time.

In theory, [allow-weak=yes] should work, but I haven't actually tested
this.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.