Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine

["Neal H. Walfield" <neal@walfield.org>]

Hi,

I think this change is an improvement over the status quo.  In my
opinion, a signature should be accepted if it was made when the
certificate sas not expired.  If the signature was made after the
certificate expired it should be rejected.  That is:

  t_s1: signature 1
  t_e: certificate expires
  t_s2: signature 2

  where: t_s1 < t_e < t_s2

signature 1 should be accepted as t_s1 < t_e.

signature 2 should be rejected as t_s2 > t_e.

As GnuPG's interface does not provide enough information to make this
distinction, this change is better.

:) Neal

On Wed, 04 Feb 2026 16:23:06 +0100,
Uwe Kleine-König wrote:
> 
> If a signature is done with a valid key and that key later expires, the
> signature should still be considered good.
> 
> GnuPG exmits in this case something like:
> 
> 	[GNUPG:] NEWSIG
> 	gpg: Signature made Wed 26 Nov 2014 05:56:50 AM CET
> 	gpg:                using RSA key FE3958F9067BC667
> 	[GNUPG:] KEYEXPIRED 1478449622
> 	[GNUPG:] KEY_CONSIDERED D783920D6D4F0C06AA4C25F3FE3958F9067BC667 0
> 	[GNUPG:] KEYEXPIRED 1478449622
> 	[GNUPG:] SIG_ID 8tAN3Fx6XB2NAoH5U8neoguQ9MI 2014-11-26 1416977810
> 	[GNUPG:] EXPKEYSIG FE3958F9067BC667 Jason Cooper <jason@lakedaemon.net>
> 	gpg: Good signature from "Jason Cooper <jason@lakedaemon.net>" [expired]
> 	[GNUPG:] VALIDSIG D783920D6D4F0C06AA4C25F3FE3958F9067BC667 2014-11-26 1416977810 0 4 0 1 2 00 D783920D6D4F0C06AA4C25F3FE3958F9067BC667
> 	gpg: Note: This key has expired!
> 	      D783920D6D4F0C06AA4C25F3FE3958F9067BC667
> 
> (signature and signed data in this example is taken from Linux commit
> 756f80cee766574ae282baa97fdcf9cc). So GnuPG is relaxed and the fact that
> the key is expired is only worth a "Note" which is weaker than e.g.
> 
> 	gpg: WARNING: The key's User ID is not certified with a trusted signature!
> 	gpg:          There is no indication that the signature belongs to the owner.
> 
> which git still considers ok.
> 
> So stop coloring the signature by an expired key red and handle it like
> any other good signature.
> 
> Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
> ---
> Hello,
> 
> the motivation for this patch originates from a mail correspondence with Linus Torvalds,
> see
> https://lore.kernel.org/ksummit/CAHC9VhRwMpSCphW_FsHojX1r12D5MOMUBm6MAzpGYD_FDjEVtA@mail.gmail.com/T/#m6cc3cc4b599658cab6012326993a1261fd641046
> for the details.
> 
> Best regards
> Uwe
> 
>  gpg-interface.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 47222bf31b6e..6635c6c8e16f 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc,
>  
>  	delete_tempfile(&temp);
>  
> -	ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ");
> +	ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG ");
>  	sigc->output = strbuf_detach(&gpg_stderr, NULL);
>  	sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL);
>  
> @@ -680,7 +680,7 @@ int check_signature(struct signature_check *sigc,
>  	if (status && !sigc->output)
>  		return !!status;
>  
> -	status |= sigc->result != 'G';
> +	status |= sigc->result != 'G' && sigc->result != 'Y';
>  	status |= sigc->trust_level < configured_min_trust_level;
>  
>  	return !!status;
> 
> base-commit: b2826b52eb7caff9f4ed6e85ec45e338bf02ad09
> -- 
> 2.47.3
> 
>