On Tue, 19 Jun 2018, Adam Cecile wrote: > On 06/19/2018 10:48 PM, Don Armstrong wrote: > > On Tue, 19 Jun 2018, Adam Cecile wrote: > > > That's a pity, don't you think so ? I think Debian should renew the > > > archive key, so we can still verify packages signatures. > > You can still verify them. Key expiration doesn't make existing > > signatures invalid. [Indeed, gpgv doesn't even check for expired keys.] > > > With apt ? I had to set allowunauthenticated = 1 in apt.conf, otherwise apt > wouldn't install anything.
Hrm; it looks like apt has its own internal version of gpgv which actually tests the time. In theory, [allow-weak=yes] should work, but I haven't actually tested this. -- Don Armstrong https://www.donarmstrong.com You are educated when you have the ability to listen to almost anything without losing your temper or self-confidence. -- Robert Frost