From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: expired key in junio-gpg-pub
Date: Tue, 07 Sep 2021 12:49:00 -0700 [thread overview]
Message-ID: <xmqqbl54b1zn.fsf@gitster.g> (raw)
In-Reply-To: <YTerpXCxYx+f+8ws@coredump.intra.peff.net> (Jeff King's message of "Tue, 7 Sep 2021 14:12:53 -0400")
Jeff King <peff@peff.net> writes:
> It looks like your signing key is expired, and tag verification fails:
>
> $ mkdir /tmp/foo
> $ export GNUPGHOME=/tmp/foo
> $ git cat-file blob junio-gpg-pub | gpg --import
> gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
> gpg: keybox '/tmp/foo/pubring.kbx' created
> gpg: key 20D04E5A713660A7: 27 signatures not checked due to missing keys
> gpg: /tmp/foo/trustdb.gpg: trustdb created
> gpg: key 20D04E5A713660A7: public key "Junio C Hamano <gitster@pobox.com>" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: no ultimately trusted keys found
>
> $ git tag -v v2.33.0
> object 225bc32a989d7a22fa6addafd4ce7dcd04675dbf
> type commit
> tag v2.33.0
> tagger Junio C Hamano <gitster@pobox.com> 1629141357 -0700
>
> Git 2.33
> gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
> gpg: Signature made Mon Aug 16 15:15:57 2021 EDT
> gpg: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
> gpg: Good signature from "Junio C Hamano <gitster@pobox.com>" [unknown]
> gpg: aka "Junio C Hamano <junio@pobox.com>" [unknown]
> gpg: aka "Junio C Hamano <jch@google.com>" [unknown]
> gpg: Note: This key has expired!
> Primary key fingerprint: 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
> Subkey fingerprint: E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
>
> $ echo $?
> 1
>
> Have you extended the expiration on it? I wasn't able to find any
> updates on the keyservers I checked. But regardless, we should probably
> ship an updated one via the tag.
I am reasonably sure that I've done update with pgp.mit.edu when I
refreshed the expiration last time, but apparently I didn't update
the in-tree copy. I doubt that it is a good practice to ship the
public key used to sign things in the repository in the repository
itself, but if are not dropping the tag, I agree I should keep it up
to date.
Thanks.
next prev parent reply other threads:[~2021-09-07 19:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-07 18:12 expired key in junio-gpg-pub Jeff King
2021-09-07 18:20 ` Konstantin Ryabitsev
2021-09-07 19:22 ` Jeff King
2021-09-07 19:44 ` Ævar Arnfjörð Bjarmason
2021-09-07 19:49 ` Junio C Hamano [this message]
2021-09-07 20:30 ` Jeff King
2021-09-07 20:41 ` Konstantin Ryabitsev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqbl54b1zn.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.