Re: Regarding the expiration of the signed data in npth-1.6.tar.bz2
On Tue, 6 Feb 2024 17:51, Bernhard Reiter said: > So far I haven't seen renewed signatures from GnuPG devs, which makes it > unlikely they sign the nPth release from 2018 again. Right, we will soon do a new release with some fixes for AIX and to modernize tyhe build system. In theory we could re-sign old stuff but for most packages the latest releases are fresh enough. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Regarding the expiration of the signed data in npth-1.6.tar.bz2
Hi Witchy, Am Samstag 03 Februar 2024 15:35:20 schrieb witchy via Gnupg-users: > I am trying to install npth which is needed to build gpg. > I noticed that the npth signature data has expired. that is okay, if you downloaded stuff from https://www.gnupg.org/download/index.html nPth1.6 2018-07-16 293kdownloaddownload LANG=C gpg --verify npth-1.6.tar.bz2.sig gpg: assuming signed data in 'npth-1.6.tar.bz2' gpg: Signature made Mon Jul 16 09:37:23 2018 CEST gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [expired] gpg: Note: This key has expired! That messsage shows that the signature is fine at the time it was made in principle. You can additionally check the pubkey: LANG=C gpg -kv "D8692123C4065DEA5E0F3AB5249B39D24F25E3B6" gpg: Note: signature key 249B39D24F25E3B6 expired Fri Dec 31 12:00:07 2021 CET pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expired: 2021-12-31] D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 uid [ expired] Werner Koch (dist sig) sub rsa2048/F58A5868AC87C71A 2011-01-12 [A] [expired: 2019-12-31] That should be good enough. > Is it possible to have it signed again? At least if a new release is done, that release would be freshly signed. So far I haven't seen renewed signatures from GnuPG devs, which makes it unlikely they sign the nPth release from 2018 again. Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Regarding the expiration of the signed data in npth-1.6.tar.bz2
On 2024-02-03 17:31, Bruce Walzer wrote: On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote: [...] I noticed that the npth signature data has expired. Why is anyone signing software with expiring keys anyway? I have ranted against the practice of PGP key expiry in general[1] but this seems particularly harmful. GnuPG contributes to this problem by generating expiring keys by default. [1] https://articles.59.ca/doku.php?id=pgpfan:expire Some software signing systems handle this by adding a trusted timestamp signature telling signature checkers to check validity "as of" the certified timestamp. This is particularly common for X.509 signature systems where the certificates themselves expire every few years . There is an RFC for how to do it and I have figured out how it is actually done for proprietary Microsoft formats (its only a few deviations from the RFCs implemented by gpgsm). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Regarding the expiration of the signed data in npth-1.6.tar.bz2
On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote: [...] > I noticed that the npth signature data has expired. Why is anyone signing software with expiring keys anyway? I have ranted against the practice of PGP key expiry in general[1] but this seems particularly harmful. GnuPG contributes to this problem by generating expiring keys by default. [1] https://articles.59.ca/doku.php?id=pgpfan:expire Bruce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Regarding the expiration of the signed data in npth-1.6.tar.bz2
Hi! I am trying to install npth which is needed to build gpg. I noticed that the npth signature data has expired. Is it possible to have it signed again? Sorry for my poor English, but I would appreciate it if you could check. Thank you in advance for your cooperation. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
