On Fri, Apr 24, 2009 at 12:31:43PM +0200, Jakub Jelinek wrote: > On Thu, Apr 23, 2009 at 08:09:55PM -0700, Keith Thompson wrote: > > gcc-4.4.0.tar.gz.sig was generated with an expired key: > > > > gpg: Signature made Tue 21 Apr 2009 07:35:29 AM PDT using DSA key ID > > C3C45C06 > > gpg: Good signature from "Jakub Jelinek <ja...@redhat.com>" > > gpg: Note: This key has expired! > > Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06 > > > > I'm using ftp://ftp.gnu.org/gnu/gnu-keyring.gpg, downloaded after I > > downloaded gcc-4.4.0.tar.gz.sig. > > I've extended its expiration before the release. Just > gpg --keyserver hkp://pgp.mit.edu/ --recv-keys C3C45C06
Ok. Rather than importing all those signatures from a keyserver, I always check signatures for GNU software against a downloaded copy of gnu-keyring.gpg. Presumably gnu-keyring.gpg will be updated Real Soon Now, so there should be no problem. -- Keith Thompson (The_Other_Keith) k...@mib.org <http://www.ghoti.net/~kst> Nokia "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister"