https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #127 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- (In reply to Simone Caronni from comment #120) > (In reply to Björn Persson from comment #117) > > bitcoin-gpg.sh will include a revoked or expired key if it signs a release. > > Such keys must be weeded out. > > They can be removed only by running it at a specific time. Might be that > keys are valid today and not valid in a few days. So up to the packager to > execute when at least bumping release. Either you misunderstood me, or I'm misunderstanding you. The signature verification in the spec does not check whether keys have expired. That is as it should be, because we don't want expiring keys to act as time bombs and cause rebuilds to fail some time after a package has been released. The signature verification in the spec also does not check whether keys have been revoked. If it did, it would help the packager catch mistakes, but that's all it would do. The only way that a revocation certificate could get into the package would be if the packager would add it while updating the package. Since the spec doesn't check, it's the packager's responsibility to remove expired and revoked keys. Obviously this will only happen when the packager updates the package. It would be helpful if bitcoin-gpg.sh would help with this. Currently it does not, so each key must be checked manually using gpg2 --list-keys. The current version of bitcoin-gpg.sh uses gpgv2 to check whether each key signed the current release. It does not check whether the keys are expired or revoked. Not unless the gpgv2 manpage lies when it says: | gpgv assumes that all keys in the keyring are trustworthy. That does also | mean that it does not check for expired or revoked keys. Thus, if one of the keys that signed the release has expired or been revoked, bitcoin-gpg.sh will still add that key to the package, so the packager must discover and remove it manually. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
