* Russ Allbery <r...@debian.org> [2021-03-26 13:01]:
If this were the case, it would be fine to re-sign *.dsc files, but there has been quite a lot of opposition to that in the past. The upstream signing key is at least as useful as the signature on the *.dsc file, for exactly the same reasons.
I do not understand this, but I am probably too new with Debian. Can you point me to a discussion about this?
Key expiration, at least in my understanding, says that signatures made by that key are valid up until the point that the key has expired, but not after that point. It cannot protect against key compromise prior to the expiration date. That's what a revocation is for.
You're right, I did conflate those two concepts too much. Let me try and rephrase. What I meant to convey was: there is no way to know when a signature was created except trusting what the signature itself says, because anyone who has control over the key can forge any date. That's fine, because in this context, the actual date of the signature doesn't really matter: the signature is meant to prevent an attacker from tampering with the source code, not to prove when exactly the release happened. Thus, there is no reason to stop trusting the signature after the key has expired, unless you assume that someone could have replaced the original source and forged a backdated signature, i.e. the key was compromised. I am making more sense now? - Timo
signature.asc
Description: PGP signature
