Hi,
I just cloned and reassigned your bug about apt-get ignoring expired
keys. apt-get forks gpgv to do the actual verification and that gives
no indication of any expirey. So apt-get has no chance to detect and
warn about such an event.
[EMAIL PROTECTED]:% sudo gpgv --keyring etc/apt/trusted.gpg
var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg
var/lib/apt/lists/localhost_debian_dists_sid_Release
gpgv: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID
F583D700
gpgv: Good signature from "Tester (test key) <[EMAIL PROTECTED]>"
[EMAIL PROTECTED]:/% sudo gpg --keyring etc/apt/trusted.gpg --verify
var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg
var/lib/apt/lists/localhost_debian_dists_sid_Release
gpg: WARNING: unsafe ownership on configuration file
`/home/mrvn/.gnupg/gpg.conf'
gpg: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID
F583D700
gpg: Good signature from "Tester (test key) <[EMAIL PROTECTED]>"
gpg: Note: This key has expired!
Primary key fingerprint: 317C B6A2 20E3 D9DF BE98 0264 1E34 EFC0 F583
D700
[EMAIL PROTECTED]:/% echo $?
0
Note that gpg does not fail the signature just because it has expired,
even if the signature is made after the expirey date of the key. The
signature was made when the key was still valid s it gets accepted.
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
