[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Check your signing key expiration dates!

Nate Bargmann [2019-07-07T12:03:35-05] wrote:

> Within the past day I have received two mails via the debian-announce
> list (I recently subscribed), and have seen some on this list where I
> am seeing the output from gpgme in neomutt that the signing key
> expired some time ago. Not expired within the past days but months or
> almost a couple of years ago. As I have my signing key set not to
> expire, I'm not sure if gnupg is issuing a warning about an expired
> key to those senders.

You need to update your copy of the keys. Those developers have very
likely updated the expiration day and moved it again to some point in
the future. Debian developers' keys can be updated with WKD protocol
usign their debian.org email address:

    gpg --auto-key-locate clear,nodefault,wkd --locate-key dev@debian.org

It's good idea to have expiration date in PGP keys. If the owner loses
his key (or the owner dies!) and can't revoke the key or can't send the
revocation certificate everywhere then at least the expiry date takes
care of invalidating the key.

Expiration date is also hint for other people that they may need to
update the key.

///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen

Attachment: signature.asc
Description: PGP signature

Reply to: