Mailing List Archive

On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote:
[...]
> I noticed that the npth signature data has expired.

Why is anyone signing software with expiring keys anyway? I have
ranted against the practice of PGP key expiry in general[1] but this
seems particularly harmful. GnuPG contributes to this problem by
generating expiring keys by default.

[1] https://articles.59.ca/doku.php?id=pgpfan:expire

Bruce

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2024-02-03 17:31, Bruce Walzer wrote:
> On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote:
> [...]
>> I noticed that the npth signature data has expired.
> Why is anyone signing software with expiring keys anyway? I have
> ranted against the practice of PGP key expiry in general[1] but this
> seems particularly harmful. GnuPG contributes to this problem by
> generating expiring keys by default.
>
> [1] https://articles.59.ca/doku.php?id=pgpfan:expire
>
>
Some software signing systems handle this by adding a trusted timestamp
signature telling signature checkers to check validity "as of" the
certified timestamp. This is particularly common for X.509 signature
systems where the certificates themselves expire every few years .
There is an RFC for how to do it and I have figured out how it is actually
done for proprietary Microsoft formats (its only a few deviations from
the RFCs implemented by gpgsm).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Witchy,

Am Samstag 03 Februar 2024 15:35:20 schrieb witchy via Gnupg-users:
> I am trying to install npth which is needed to build gpg.
> I noticed that the npth signature data has expired.

that is okay, if you downloaded stuff from
https://www.gnupg.org/download/index.html
nPth 1.6 2018-07-16 293k download download

LANG=C gpg --verify npth-1.6.tar.bz2.sig
gpg: assuming signed data in 'npth-1.6.tar.bz2'
gpg: Signature made Mon Jul 16 09:37:23 2018 CEST
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [expired]
gpg: Note: This key has expired!

That messsage shows that the signature is fine at the time it was made
in principle.

You can additionally check the pubkey:
LANG=C gpg -kv "D8692123C4065DEA5E0F3AB5249B39D24F25E3B6"
gpg: Note: signature key 249B39D24F25E3B6 expired Fri Dec 31 12:00:07 2021 CET
pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expired: 2021-12-31]
D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
uid [ expired] Werner Koch (dist sig)
sub rsa2048/F58A5868AC87C71A 2011-01-12 [A] [expired: 2019-12-31]

That should be good enough.

> Is it possible to have it signed again?

At least if a new release is done, that release would be freshly signed.
So far I haven't seen renewed signatures from GnuPG devs, which makes it
unlikely they sign the nPth release from 2018 again.

Regards,
Bernhard

--
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter

On Tue, 6 Feb 2024 17:51, Bernhard Reiter said:

> So far I haven't seen renewed signatures from GnuPG devs, which makes it
> unlikely they sign the nPth release from 2018 again.

Right, we will soon do a new release with some fixes for AIX and to
modernize tyhe build system.

In theory we could re-sign old stuff but for most packages the latest
releases are fresh enough.


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein