Bug#433091: ignores expiry of archive keys
On Mon, Apr 06, 2009 at 02:12:26AM +0200, Peter Palfrader wrote:
> On Tue, 05 Aug 2008, Thijs Kinkhorst wrote:
>
> > On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> > > Sure, we wouldn't want to endanger our release schedule for feature
> > > enhancements or Debian's reputation. ;|
> >
> > Or put differently, I'd rather spend our time on things that more
> > significantly improve the security a of Debian system, and to be frank I
> > think it's quite speculative that there's actual reputation risk here.
>
> So why the fuck do we ship apt keys with expiration dates anyway, if apt
> happily ignores them?
>
> When I create a key and add that to apt's trusted-keys with an
> expiration date of foo I fully expect it to not be trusted afterwards.
>
> But heck, I can even create new signatures made after the expiration
> date and apt will happily accept any and all Release files signed by
> that expired key.
>
> I was shocked when I realized this today, after reading this bug
> report I'm dumbfounded that you even consider this acceptable!
Sorry for this. I'm looking through the code now and it seems like
this caused by a misinterpretation of the gpg documentation for the
GOODSIG vs VALIDSIG status mesages (and is in the code since day 1 of
apt-secure :(
I'm working on a patch now and would appreicate help with the
testing/verification ones its ready.
Thanks,
Michael
Reply to: