On Fri, Oct 11, 2013 at 7:02 AM, Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > Konstantin Ryabitsev wrote: >>gpg --verify (and gpgv) will return 0 even if the key is revoked or >>expired, so you can't really rely on exit code alone. The following is >>the right approach: >> >>gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1} >>%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG' > > Will that check start to fail when the key expires? Do we want packages > to start failing to build just because a certain date has passed? > > Or does the check fail only if the key had already expired when the > signature was made? Looks like gpg verify doesn't take that into consideration. E.g., here's a signature check for a tarball signed a year ago with a key that expired 6 months later: # gpgv --homedir=/tmp --keyring=/var/lib/kup/pgp/mcgrof.gpg --status-fd=1 /pub/pub/linux/kernel/projects /backports/2012/12/19/compat-drivers-2012-12-19-u.tar.sign compat-drivers-2012-12-19-u.tar gpgv: Signature made Thu 20 Dec 2012 04:11:59 AM UTC using RSA key ID 0A286BA2 [GNUPG:] KEYEXPIRED 1375474838 [GNUPG:] SIGEXPIRED [GNUPG:] KEYEXPIRED 1375474838 [GNUPG:] SIGEXPIRED [GNUPG:] SIG_ID CnG8MpelL0KA+rXPtnnpr8hYBKQ 2012-12-20 1355976719 [GNUPG:] KEYEXPIRED 1375474838 [GNUPG:] SIGEXPIRED [GNUPG:] EXPKEYSIG 05C1321D0A286BA2 Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx> gpgv: Good signature from "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>" gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxx>" gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxx>" gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>" gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxxxx>" gpgv: aka "[invalid image]" [GNUPG:] VALIDSIG 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2 2012-12-20 1355976719 0 4 0 1 2 00 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2 Gpg doesn't mark it with "GOODSIG", even though KEYEXPIRED timestamp (Aug, 2013) is much larger than the one in SIG_ID (Dec, 2012) -- meaning that at the time of signing the key was valid. So, yes, if gpg verify is used to check signatures, a package will start failing once the key used to sign the package is expired. Which is not necessarily a bad thing -- an FTBFS bug would be a perfectly fine way of notifying someone that they need to review the pubkey used to verify their packages. (This, of course, can be worked around by checking for KEYEXPIRED and then doing some basic math, but of course, that would dramatically complicate the handy one-liner.) Regards, -- Konstantin Ryabitsev LinuxFoundation.org Montréal, Québec -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct