https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #128 from Simone Caronni <negativo17@xxxxxxxxx> --- (In reply to Björn Persson from comment #127) > The signature verification in the spec also does not check whether keys have > been revoked. If it did, it would help the packager catch mistakes, but > that's all it would do. The only way that a revocation certificate could get > into the package would be if the packager would add it while updating the > package. > > | gpgv assumes that all keys in the keyring are trustworthy. That does also > | mean that it does not check for expired or revoked keys. Isn't this the correct behaviour? Keys might have been revoked and expired and still being left on the key servers. We pick all those up, regardless of their expired/revoked status and use them to validate the signed release. They were valid at the moment of the signature, so we should check them. I could extend the script to print which ones are expired/revoked, but this does not change the fact that I would need to use them to check the signature. > Thus, if one of the keys that signed the release has expired or been > revoked, bitcoin-gpg.sh will still add that key to the package, so the > packager must discover and remove it manually. With a new release (let's say 0.23) everything gets reset and we just check again the entire set of keys used for signing. Expired keys will of course not be in this list, as they will not be use for signing. So there is nothing for the packager to discover. This is what I meant with the packager adapting for the release. Practical example - New release - Lots of keys sign the release - Keys might be revoked and still be on the keyservers - Keys might be expired and still be on the keyservers - Keys might not be on the keyservers (revoked, expired, or simply removed) - New package - All keys are attempted to be downloaded from keyserver - All keys downloaded are used to verify the signature, regardless of their state - List of keys is regenarated, so old keys no longer used (which includes expired and revoked) are removed - No need for the packager to check which ones are expired/removed Why would it be beneficial to know which ones are expired/revoked? I can make the script print it if you prefer, but it would just be a cosmetic thing and not actually used for checking anything. I think this answer your concern. Does it make sense? -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
