Follow-up Comment #2, task #15140 (project administration): The report was "wget-1.20.1.tar.gz signed with expired key" and had the following message:
I was rather surprised to see that the key used to sign a release on December 26 expired on July 12. Is it legit? $ curl https://ftp.gnu.org/gnu/gnu-keyring.gpg | gpg --import ... $ gpg --verify wget-1.20.1.tar.gz.sig gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made December 26, 2018 at 08:12:51 PM UTC using RSA key ID A2670428 gpg: Good signature from "Tim Rühsen <[email protected]>" gpg: Note: This key has expired! Primary key fingerprint: 1CB2 7DBC 9861 4B2D 5841 646D 0830 2DB6 A267 0428 $ gpg --list-key A2670428 gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information pub 4096R/A2670428 2014-06-26 [expired: 2018-06-12] uid Tim Rühsen <[email protected]> So my key wasn't expired since 2016 but since 2018-06-12. A possible quick solution would be to have a crontab daily/weekly checking for soon-to-expire keys and to inform those people via an automated email (including steps on how to update expiration date and how to upload to key servers and how to update to Savannah). Then a second crontab could check all GPG keys on a public key server. And download those keys whose expiration date has been changed (e.g. it could be that someone changed the expiration date from 'never' to a concrete future date). _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/task/?15140> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/
