On Fri, Oct 11, 2013 at 9:55 AM, Konstantin Ryabitsev <i...@fedoraproject.org> wrote: >> Or does the check fail only if the key had already expired when the >> signature was made? > > Looks like gpg verify doesn't take that into consideration.
PS: And, FYI, for a very good reason -- it is very simple for an attacker to change the date on their system before signing a tarball, to make it look like the signature was made while the key was still valid and thus satisfy the checks. -- Konstantin Ryabitsev LinuxFoundation.org Montréal, Québec -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
