On 01/10/18 15:32, Jonathan K. Bullard wrote: > Hi, David. > > On Mon, Oct 1, 2018 at 8:59 AM David Sommerseth > <open...@sf.lists.topphemmelig.net> wrote: >> >> On 30/09/18 23:14, Jonathan K. Bullard wrote: >>> I downloaded openvpn-2.4.6.tar.gz and the associated GnuPG signature, >>> but the signing key seems to have expired before it was signed: >>> >>> $gpg2 -v --verify openvpn-2.4.6.tar.gz.asc >>> gpg: assuming signed data in '/***/openvpn-2.4.6.tar.gz' >>> gpg: Signature made Tue Apr 24 03:14:52 2018 EDT >>> gpg: using RSA key D518B9BD643CF94DA5ED9970F132B1CBAF131CAE >>> gpg: Note: signature key D72AF3448CC2B034 expired Tue Mar 6 07:17:50 2018 >>> EST > <snip> >> The important line is this one: >> >>> gpg: Good signature from "OpenVPN - Security Mailing List" >> >> Yes, the signing key we used has expired, as we only have 1 year life time on >> them. But we would need to re-sign all packages to get rid of this. Which >> would not give anything but removing the warnings that the key used has >> expired. > > Thanks for your confirmation that the signature is good. > > But I was not saying that the key has expired *today*. I was saying > that the key had already expired at the time it was used to create the > signature: the key was used to create the signature several weeks > *after* it had expired. > > Or was the expired key not actually used to create the signature and > the note was irrelevant noise from GnuPG?
Huh!? I didn't spot that fine detail ... this is very odd, and shouldn't really be possible. Okay, I will double check this. I'm quite sure we had a new key enrolled at the time of creation of the signature. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
