Hi Antoine, Antoine Zellmeyer via devel <devel@lists.fedoraproject.org> writes: > Following Fedora’s migration to Sequoia PGP, it seems that it isn’t possible > to import an expired signing key anymore. > > rpm --import https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public > error: Certificate <CERT_ID>: > The certificate is expired: The primary key is not live > error: https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public: key 1 > import failed. > > I’d like to know what a third party can do to allow older versions of a > package to be installed despite the expired GPG key. To be precise, the GPG > key is expired but not revoked so it shouldn’t be an issue. > One option I’m aware of would be to resign older packages but it involves > changing the checksum of the package, which is a bad practice we’d like to > avoid. Any suggestions ? Or is it an issue to redirect to rpm-sequoia > directly ?
Thanks for identifying this issue and reporting it. In general, a certificate that has expired or been soft revoked (i.e., not compromised [1]) should still be able to verify signatures made before the certificate expired or was soft revoked. I've opened an issue in rpm-sequoia [2]. :) Neal [1] https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.23 [2] https://github.com/rpm-software-management/rpm-sequoia/issues/59 -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
