On 5 Jan 2023, at 13:42, Ingo Klöcker <kloec...@kde.org> wrote: > > GitLab keeps the verification state if a > key is removed, but I added the updated key including the expired subkey. That > was a bad idea because GitLab invalidated all commits signed with the expired > subkey.
It is disappointing to see that major projects still have trouble implementing signature verification correctly. The rules are not trivial, but they are important to accurately convey the intent of the signer. Is there an implementers guide anywhere for how to calculate sig validity? There are plenty for users but none for developers that I can see. The details are distributed across various parts of the RFCs (expiry, revocation, etc.), so perhaps a wiki page to consolidate them (and other relevant arcane knowledge) would be helpful, so that we could point implementers at it and tap the sign. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
