On 2024-02-03 17:31, Bruce Walzer wrote:
On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote:
[...]
I noticed that the npth signature data has expired.
Why is anyone signing software with expiring keys anyway? I have
ranted against the practice of PGP key expiry in general[1] but this
seems particularly harmful. GnuPG contributes to this problem by
generating expiring keys by default.
[1] https://articles.59.ca/doku.php?id=pgpfan:expire
Some software signing systems handle this by adding a trusted timestamp
signature telling signature checkers to check validity "as of" the
certified timestamp. This is particularly common for X.509 signature
systems where the certificates themselves expire every few years .
There is an RFC for how to do it and I have figured out how it is actually
done for proprietary Microsoft formats (its only a few deviations from
the RFCs implemented by gpgsm).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
