On Fri, Oct 11, 2013 at 7:02 AM, Björn Persson
<bjorn@xxxxxxxxxxxxxxxxxxxx> wrote:
> Konstantin Ryabitsev wrote:
>>gpg --verify (and gpgv) will return 0 even if the key is revoked or
>>expired, so you can't really rely on exit code alone. The following is
>>the right approach:
>>
>>gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>>%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
>
> Will that check start to fail when the key expires? Do we want packages
> to start failing to build just because a certain date has passed?
>
> Or does the check fail only if the key had already expired when the
> signature was made?
Looks like gpg verify doesn't take that into consideration. E.g.,
here's a signature check for a tarball signed a year ago with a key
that expired 6 months later:
# gpgv --homedir=/tmp --keyring=/var/lib/kup/pgp/mcgrof.gpg
--status-fd=1 /pub/pub/linux/kernel/projects
/backports/2012/12/19/compat-drivers-2012-12-19-u.tar.sign
compat-drivers-2012-12-19-u.tar
gpgv: Signature made Thu 20 Dec 2012 04:11:59 AM UTC using RSA key ID 0A286BA2
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] SIG_ID CnG8MpelL0KA+rXPtnnpr8hYBKQ 2012-12-20 1355976719
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] EXPKEYSIG 05C1321D0A286BA2 Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>
gpgv: Good signature from "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>"
gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxx>"
gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxx>"
gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx>"
gpgv: aka "Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxxxx>"
gpgv: aka "[invalid image]"
[GNUPG:] VALIDSIG 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2 2012-12-20
1355976719 0 4 0 1 2 00 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2
Gpg doesn't mark it with "GOODSIG", even though KEYEXPIRED timestamp
(Aug, 2013) is much larger than the one in SIG_ID (Dec, 2012) --
meaning that at the time of signing the key was valid. So, yes, if gpg
verify is used to check signatures, a package will start failing once
the key used to sign the package is expired. Which is not necessarily
a bad thing -- an FTBFS bug would be a perfectly fine way of notifying
someone that they need to review the pubkey used to verify their
packages.
(This, of course, can be worked around by checking for KEYEXPIRED and
then doing some basic math, but of course, that would dramatically
complicate the handy one-liner.)
Regards,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
