Jeff King <peff@xxxxxxxx> writes: > It looks like your signing key is expired, and tag verification fails: > > $ mkdir /tmp/foo > $ export GNUPGHOME=/tmp/foo > $ git cat-file blob junio-gpg-pub | gpg --import > gpg: WARNING: unsafe permissions on homedir '/tmp/foo' > gpg: keybox '/tmp/foo/pubring.kbx' created > gpg: key 20D04E5A713660A7: 27 signatures not checked due to missing keys > gpg: /tmp/foo/trustdb.gpg: trustdb created > gpg: key 20D04E5A713660A7: public key "Junio C Hamano <gitster@xxxxxxxxx>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: no ultimately trusted keys found > > $ git tag -v v2.33.0 > object 225bc32a989d7a22fa6addafd4ce7dcd04675dbf > type commit > tag v2.33.0 > tagger Junio C Hamano <gitster@xxxxxxxxx> 1629141357 -0700 > > Git 2.33 > gpg: WARNING: unsafe permissions on homedir '/tmp/foo' > gpg: Signature made Mon Aug 16 15:15:57 2021 EDT > gpg: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB > gpg: Good signature from "Junio C Hamano <gitster@xxxxxxxxx>" [unknown] > gpg: aka "Junio C Hamano <junio@xxxxxxxxx>" [unknown] > gpg: aka "Junio C Hamano <jch@xxxxxxxxxx>" [unknown] > gpg: Note: This key has expired! > Primary key fingerprint: 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7 > Subkey fingerprint: E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB > > $ echo $? > 1 > > Have you extended the expiration on it? I wasn't able to find any > updates on the keyservers I checked. But regardless, we should probably > ship an updated one via the tag. I am reasonably sure that I've done update with pgp.mit.edu when I refreshed the expiration last time, but apparently I didn't update the in-tree copy. I doubt that it is a good practice to ship the public key used to sign things in the repository in the repository itself, but if are not dropping the tag, I agree I should keep it up to date. Thanks.
