* [PATCH v1] gpg-interface: Signatures by expired keys are fine @ 2026-02-04 15:23 Uwe Kleine-König 2026-02-04 15:35 ` Neal H. Walfield 2026-02-04 17:26 ` Junio C Hamano 0 siblings, 2 replies; 6+ messages in thread From: Uwe Kleine-König @ 2026-02-04 15:23 UTC (permalink / raw) To: git; +Cc: Linus Torvalds, Neal H. Walfield If a signature is done with a valid key and that key later expires, the signature should still be considered good. GnuPG exmits in this case something like: [GNUPG:] NEWSIG gpg: Signature made Wed 26 Nov 2014 05:56:50 AM CET gpg: using RSA key FE3958F9067BC667 [GNUPG:] KEYEXPIRED 1478449622 [GNUPG:] KEY_CONSIDERED D783920D6D4F0C06AA4C25F3FE3958F9067BC667 0 [GNUPG:] KEYEXPIRED 1478449622 [GNUPG:] SIG_ID 8tAN3Fx6XB2NAoH5U8neoguQ9MI 2014-11-26 1416977810 [GNUPG:] EXPKEYSIG FE3958F9067BC667 Jason Cooper <jason@lakedaemon.net> gpg: Good signature from "Jason Cooper <jason@lakedaemon.net>" [expired] [GNUPG:] VALIDSIG D783920D6D4F0C06AA4C25F3FE3958F9067BC667 2014-11-26 1416977810 0 4 0 1 2 00 D783920D6D4F0C06AA4C25F3FE3958F9067BC667 gpg: Note: This key has expired! D783920D6D4F0C06AA4C25F3FE3958F9067BC667 (signature and signed data in this example is taken from Linux commit 756f80cee766574ae282baa97fdcf9cc). So GnuPG is relaxed and the fact that the key is expired is only worth a "Note" which is weaker than e.g. gpg: WARNING: The key's User ID is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. which git still considers ok. So stop coloring the signature by an expired key red and handle it like any other good signature. Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org> --- Hello, the motivation for this patch originates from a mail correspondence with Linus Torvalds, see https://lore.kernel.org/ksummit/CAHC9VhRwMpSCphW_FsHojX1r12D5MOMUBm6MAzpGYD_FDjEVtA@mail.gmail.com/T/#m6cc3cc4b599658cab6012326993a1261fd641046 for the details. Best regards Uwe gpg-interface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index 47222bf31b6e..6635c6c8e16f 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, delete_tempfile(&temp); - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); sigc->output = strbuf_detach(&gpg_stderr, NULL); sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL); @@ -680,7 +680,7 @@ int check_signature(struct signature_check *sigc, if (status && !sigc->output) return !!status; - status |= sigc->result != 'G'; + status |= sigc->result != 'G' && sigc->result != 'Y'; status |= sigc->trust_level < configured_min_trust_level; return !!status; base-commit: b2826b52eb7caff9f4ed6e85ec45e338bf02ad09 -- 2.47.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine 2026-02-04 15:23 [PATCH v1] gpg-interface: Signatures by expired keys are fine Uwe Kleine-König @ 2026-02-04 15:35 ` Neal H. Walfield 2026-02-04 17:26 ` Junio C Hamano 1 sibling, 0 replies; 6+ messages in thread From: Neal H. Walfield @ 2026-02-04 15:35 UTC (permalink / raw) To: Uwe Kleine-König; +Cc: git, Linus Torvalds Hi, I think this change is an improvement over the status quo. In my opinion, a signature should be accepted if it was made when the certificate sas not expired. If the signature was made after the certificate expired it should be rejected. That is: t_s1: signature 1 t_e: certificate expires t_s2: signature 2 where: t_s1 < t_e < t_s2 signature 1 should be accepted as t_s1 < t_e. signature 2 should be rejected as t_s2 > t_e. As GnuPG's interface does not provide enough information to make this distinction, this change is better. :) Neal On Wed, 04 Feb 2026 16:23:06 +0100, Uwe Kleine-König wrote: > > If a signature is done with a valid key and that key later expires, the > signature should still be considered good. > > GnuPG exmits in this case something like: > > [GNUPG:] NEWSIG > gpg: Signature made Wed 26 Nov 2014 05:56:50 AM CET > gpg: using RSA key FE3958F9067BC667 > [GNUPG:] KEYEXPIRED 1478449622 > [GNUPG:] KEY_CONSIDERED D783920D6D4F0C06AA4C25F3FE3958F9067BC667 0 > [GNUPG:] KEYEXPIRED 1478449622 > [GNUPG:] SIG_ID 8tAN3Fx6XB2NAoH5U8neoguQ9MI 2014-11-26 1416977810 > [GNUPG:] EXPKEYSIG FE3958F9067BC667 Jason Cooper <jason@lakedaemon.net> > gpg: Good signature from "Jason Cooper <jason@lakedaemon.net>" [expired] > [GNUPG:] VALIDSIG D783920D6D4F0C06AA4C25F3FE3958F9067BC667 2014-11-26 1416977810 0 4 0 1 2 00 D783920D6D4F0C06AA4C25F3FE3958F9067BC667 > gpg: Note: This key has expired! > D783920D6D4F0C06AA4C25F3FE3958F9067BC667 > > (signature and signed data in this example is taken from Linux commit > 756f80cee766574ae282baa97fdcf9cc). So GnuPG is relaxed and the fact that > the key is expired is only worth a "Note" which is weaker than e.g. > > gpg: WARNING: The key's User ID is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > > which git still considers ok. > > So stop coloring the signature by an expired key red and handle it like > any other good signature. > > Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org> > --- > Hello, > > the motivation for this patch originates from a mail correspondence with Linus Torvalds, > see > https://lore.kernel.org/ksummit/CAHC9VhRwMpSCphW_FsHojX1r12D5MOMUBm6MAzpGYD_FDjEVtA@mail.gmail.com/T/#m6cc3cc4b599658cab6012326993a1261fd641046 > for the details. > > Best regards > Uwe > > gpg-interface.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gpg-interface.c b/gpg-interface.c > index 47222bf31b6e..6635c6c8e16f 100644 > --- a/gpg-interface.c > +++ b/gpg-interface.c > @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, > > delete_tempfile(&temp); > > - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); > + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); > sigc->output = strbuf_detach(&gpg_stderr, NULL); > sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL); > > @@ -680,7 +680,7 @@ int check_signature(struct signature_check *sigc, > if (status && !sigc->output) > return !!status; > > - status |= sigc->result != 'G'; > + status |= sigc->result != 'G' && sigc->result != 'Y'; > status |= sigc->trust_level < configured_min_trust_level; > > return !!status; > > base-commit: b2826b52eb7caff9f4ed6e85ec45e338bf02ad09 > -- > 2.47.3 > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine 2026-02-04 15:23 [PATCH v1] gpg-interface: Signatures by expired keys are fine Uwe Kleine-König 2026-02-04 15:35 ` Neal H. Walfield @ 2026-02-04 17:26 ` Junio C Hamano 2026-02-04 21:18 ` Uwe Kleine-König 1 sibling, 1 reply; 6+ messages in thread From: Junio C Hamano @ 2026-02-04 17:26 UTC (permalink / raw) To: Uwe Kleine-König; +Cc: git, Linus Torvalds, Neal H. Walfield Uwe Kleine-König <ukleinek@kernel.org> writes: > If a signature is done with a valid key and that key later expires, the > signature should still be considered good. > > GnuPG exmits in this case something like: "emits". > diff --git a/gpg-interface.c b/gpg-interface.c > index 47222bf31b6e..6635c6c8e16f 100644 > --- a/gpg-interface.c > +++ b/gpg-interface.c > @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, > > delete_tempfile(&temp); > > - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); > + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); Makes sense; I'll wrap this overlong line while queuing, though. > sigc->output = strbuf_detach(&gpg_stderr, NULL); > sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL); > > @@ -680,7 +680,7 @@ int check_signature(struct signature_check *sigc, > if (status && !sigc->output) > return !!status; > > - status |= sigc->result != 'G'; > + status |= sigc->result != 'G' && sigc->result != 'Y'; > status |= sigc->trust_level < configured_min_trust_level; > > return !!status; > > base-commit: b2826b52eb7caff9f4ed6e85ec45e338bf02ad09 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine 2026-02-04 17:26 ` Junio C Hamano @ 2026-02-04 21:18 ` Uwe Kleine-König 2026-02-04 21:27 ` Junio C Hamano 0 siblings, 1 reply; 6+ messages in thread From: Uwe Kleine-König @ 2026-02-04 21:18 UTC (permalink / raw) To: Junio C Hamano; +Cc: git, Linus Torvalds, Neal H. Walfield [-- Attachment #1: Type: text/plain, Size: 1006 bytes --] Hello, On Wed, Feb 04, 2026 at 09:26:09AM -0800, Junio C Hamano wrote: > Uwe Kleine-König <ukleinek@kernel.org> writes: > > > If a signature is done with a valid key and that key later expires, the > > signature should still be considered good. > > > > GnuPG exmits in this case something like: > > "emits". > > > diff --git a/gpg-interface.c b/gpg-interface.c > > index 47222bf31b6e..6635c6c8e16f 100644 > > --- a/gpg-interface.c > > +++ b/gpg-interface.c > > @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, > > > > delete_tempfile(&temp); > > > > - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); > > + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); > > Makes sense; I'll wrap this overlong line while queuing, though. Just to be sure: That means I don't resent with the typo fixed and an additional line break and you care to apply this patch? Thanks Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine 2026-02-04 21:18 ` Uwe Kleine-König @ 2026-02-04 21:27 ` Junio C Hamano 2026-02-05 9:38 ` Uwe Kleine-König 0 siblings, 1 reply; 6+ messages in thread From: Junio C Hamano @ 2026-02-04 21:27 UTC (permalink / raw) To: Uwe Kleine-König; +Cc: git, Linus Torvalds, Neal H. Walfield Uwe Kleine-König <ukleinek@kernel.org> writes: > Hello, > > On Wed, Feb 04, 2026 at 09:26:09AM -0800, Junio C Hamano wrote: >> Uwe Kleine-König <ukleinek@kernel.org> writes: >> >> > If a signature is done with a valid key and that key later expires, the >> > signature should still be considered good. >> > >> > GnuPG exmits in this case something like: >> >> "emits". >> >> > diff --git a/gpg-interface.c b/gpg-interface.c >> > index 47222bf31b6e..6635c6c8e16f 100644 >> > --- a/gpg-interface.c >> > +++ b/gpg-interface.c >> > @@ -382,7 +382,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, >> > >> > delete_tempfile(&temp); >> > >> > - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); >> > + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); >> >> Makes sense; I'll wrap this overlong line while queuing, though. > > Just to be sure: That means I don't resent with the typo fixed and an > additional line break and you care to apply this patch? Unless there are other things you want to update, no need to resend. FYI, here is what I queued. ---- >8 ---- From: Uwe Kleine-König <ukleinek@kernel.org> Date: Wed, 4 Feb 2026 16:23:06 +0100 Subject: [PATCH] gpg-interface: signatures by expired keys are fine If a signature is made with a valid key and that key later expires, the signature should still be considered good. GnuPG emits in this case something like: [GNUPG:] NEWSIG gpg: Signature made Wed 26 Nov 2014 05:56:50 AM CET gpg: using RSA key FE3958F9067BC667 [GNUPG:] KEYEXPIRED 1478449622 [GNUPG:] KEY_CONSIDERED D783920D6D4F0C06AA4C25F3FE3958F9067BC667 0 [GNUPG:] KEYEXPIRED 1478449622 [GNUPG:] SIG_ID 8tAN3Fx6XB2NAoH5U8neoguQ9MI 2014-11-26 1416977810 [GNUPG:] EXPKEYSIG FE3958F9067BC667 Jason Cooper <jason@lakedaemon.net> gpg: Good signature from "Jason Cooper <jason@lakedaemon.net>" [expired] [GNUPG:] VALIDSIG D783920D6D4F0C06AA4C25F3FE3958F9067BC667 2014-11-26 1416977810 0 4 0 1 2 00 D783920D6D4F0C06AA4C25F3FE3958F9067BC667 gpg: Note: This key has expired! D783920D6D4F0C06AA4C25F3FE3958F9067BC667 (signature and signed data in this example is taken from Linux commit 756f80cee766574ae282baa97fdcf9cc). So GnuPG is relaxed and the fact that the key is expired is only worth a "Note" which is weaker than e.g. gpg: WARNING: The key's User ID is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. which git still considers ok. So stop coloring the signature by an expired key red and handle it like any other good signature. Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org> Signed-off-by: Junio C Hamano <gitster@pobox.com> --- gpg-interface.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index 47222bf31b..5a58f333df 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -382,7 +382,8 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc, delete_tempfile(&temp); - ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG "); + ret |= !strstr(gpg_stdout.buf, "\n[GNUPG:] GOODSIG ") && + !strstr(gpg_stdout.buf, "\n[GNUPG:] EXPKEYSIG "); sigc->output = strbuf_detach(&gpg_stderr, NULL); sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL); @@ -680,7 +681,7 @@ int check_signature(struct signature_check *sigc, if (status && !sigc->output) return !!status; - status |= sigc->result != 'G'; + status |= sigc->result != 'G' && sigc->result != 'Y'; status |= sigc->trust_level < configured_min_trust_level; return !!status; -- 2.53.0-169-ga09cd4eb64 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1] gpg-interface: Signatures by expired keys are fine 2026-02-04 21:27 ` Junio C Hamano @ 2026-02-05 9:38 ` Uwe Kleine-König 0 siblings, 0 replies; 6+ messages in thread From: Uwe Kleine-König @ 2026-02-05 9:38 UTC (permalink / raw) To: Junio C Hamano; +Cc: git, Linus Torvalds, Neal H. Walfield [-- Attachment #1: Type: text/plain, Size: 753 bytes --] Hello Junio, On Wed, Feb 04, 2026 at 01:27:06PM -0800, Junio C Hamano wrote: > Uwe Kleine-König <ukleinek@kernel.org> writes: > > On Wed, Feb 04, 2026 at 09:26:09AM -0800, Junio C Hamano wrote: > >> Makes sense; I'll wrap this overlong line while queuing, though. > > > > Just to be sure: That means I don't resent with the typo fixed and an > > additional line break and you care to apply this patch? > > Unless there are other things you want to update, no need to resend. > > FYI, here is what I queued. > > ---- >8 ---- > From: Uwe Kleine-König <ukleinek@kernel.org> > Date: Wed, 4 Feb 2026 16:23:06 +0100 > Subject: [PATCH] gpg-interface: signatures by expired keys are fine > > [...] LGTM, thanks! Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-05 9:38 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-04 15:23 [PATCH v1] gpg-interface: Signatures by expired keys are fine Uwe Kleine-König 2026-02-04 15:35 ` Neal H. Walfield 2026-02-04 17:26 ` Junio C Hamano 2026-02-04 21:18 ` Uwe Kleine-König 2026-02-04 21:27 ` Junio C Hamano 2026-02-05 9:38 ` Uwe Kleine-König
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox