Hi Peter, Sorry for not getting back to this earlier.
On moandei 6 April 2009, Peter Palfrader wrote: > > m...@book:/% sudo gpg --keyring etc/apt/trusted.gpg --verify > > var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg > > var/lib/apt/lists/localhost_debian_dists_sid_Release gpg: WARNING: unsafe > > ownership on configuration file > > `/home/mrvn/.gnupg/gpg.conf' > > gpg: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID > > F583D700 > > gpg: Good signature from "Tester (test key) <[email protected]>" > > gpg: Note: This key has expired! > > Primary key fingerprint: 317C B6A2 20E3 D9DF BE98 0264 1E34 EFC0 F583 > > D700 > > m...@book:/% echo $? > > 0 > > > > Note that gpg does not fail the signature just because it has expired, > > even if the signature is made after the expirey date of the key. The > > signature was made when the key was still valid s it gets accepted. > > I don't think that's correct. > > | wea...@intrepid:~/tmp/g$ gpgv --keyring ./pubring.gpg Release.gpg > | Release gpgv: Signature made Mon Apr 6 01:42:33 2009 CEST using DSA key > | ID BD2B0EE0 gpgv: Good signature from "db.debian.org archive key 2008" > | wea...@intrepid:~/tmp/g$ echo $? > | 0 > | > | wea...@intrepid:~/tmp/g$ gpg --status-fd=2 --verify Release.gpg Release > | gpg: WARNING: unsafe permissions on homedir `.' > | gpg: Signature made Mon Apr 6 01:42:33 2009 CEST using DSA key ID > | BD2B0EE0 > | [GNUPG:] KEYEXPIRED 1238972541 > | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead > | [GNUPG:] SIG_ID ku+8oeaPmKjRxDvpydIDp9yPiss 2009-04-05 1238974953 > | [GNUPG:] EXPKEYSIG BEA7CF10BD2B0EE0 db.debian.org archive key 2008 > | gpg: Good signature from "db.debian.org archive key 2008" > | [GNUPG:] VALIDSIG 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0 2009-04-05 > | 1238974953 0 4 0 17 2 00 41A8A518BF62877513FE798FBEA7CF10BD2B0EE0 > | gpg: Note: This key has expired! > | Primary key fingerprint: 41A8 A518 BF62 8775 13FE 798F BEA7 CF10 BD2B > | 0EE0 > > No GOODSIG. > > So gpgv considers a signature valid that gpg doesn't. That in itself > should be a grave bug. Perhaps I misunderstood your mail, but in my experiment both gpgv and gpg return the same result. The difference with your example above is, that I used --status-fd=2 for gpgv too, because that makes the output of both comparable. th...@escher:~/pgptest$ LANG=C gpgv --status-fd=2 --keyring ~/.gnupg/pubring.gpg WWCW_Spookslot_hoofdshow_huidig.mp3.asc WWCW_Spookslot_hoofdshow_huidig.mp3 gpgv: Signature made Mon Sep 1 12:06:50 2008 CEST using DSA key ID 87971F20 [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID VpH33if9gHtp0otZjARb9/EZpfk 2008-09-01 1220263610 [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] EXPKEYSIG CF2B18B987971F20 Test Key (Do Not Use) <[email protected]> gpgv: Good signature from "Test Key (Do Not Use) <[email protected]>" [GNUPG:] VALIDSIG 74B4CC126021C2935D595999CF2B18B987971F20 2008-09-01 1220263610 0 4 0 17 2 00 74B4CC126021C2935D595999CF2B18B987971F20 th...@escher:~/pgptest$ LANG=C gpg --status-fd=2 --verify WWCW_Spookslot_hoofdshow_huidig.mp3.asc WWCW_Spookslot_hoofdshow_huidig.mp3 gpg: Signature made Mon Sep 1 12:06:50 2008 CEST using DSA key ID 87971F20 [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID VpH33if9gHtp0otZjARb9/EZpfk 2008-09-01 1220263610 [GNUPG:] KEYEXPIRED 1220868029 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] EXPKEYSIG CF2B18B987971F20 Test Key (Do Not Use) <[email protected]> gpg: Good signature from "Test Key (Do Not Use) <[email protected]>" [GNUPG:] VALIDSIG 74B4CC126021C2935D595999CF2B18B987971F20 2008-09-01 1220263610 0 4 0 17 2 00 74B4CC126021C2935D595999CF2B18B987971F20 gpg: Note: This key has expired! Primary key fingerprint: 74B4 CC12 6021 C293 5D59 5999 CF2B 18B9 8797 1F20 They both do not output a GOODSIG, so I'm inclined to think that this is the expected behaviour: both do not think the signature is ok. If you disagree, can you clarify what it is that gpgv should change? thanks, Thijs
signature.asc
Description: This is a digitally signed message part.
