Ansgar <ans...@43-1.org> writes: > On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
>> I'm not all that familiar with the intended semantics of OpenPGP key >> expirations, but intuitively I think a signature made before the >> expiration should be considered valid, even if the key has now expired >> and thus shouldn't be used to make new signatures. > How would you know that the signature was made before the key expired? > Other systems (e.g. signed executables on Windows) have a trusted third > party sign the timestamp for that, but OpenPGP doesn't do so. That's a great question. I didn't think about that. We do have a trusted timestamp for the point at which the upstream tarball and signature were uploaded to the Debian archive, though, so if the key had not yet expired at that point, I think we can infer it wasn't expired when the signature was made. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
