[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-register-public] [task #15140] Automatically updating GPG keys

From: Tim Ruehsen
Subject: [Savannah-register-public] [task #15140] Automatically updating GPG keys when expired
Date: Fri, 4 Jan 2019 06:32:39 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0

Follow-up Comment #2, task #15140 (project administration):

The report was "wget-1.20.1.tar.gz signed with expired key" and had the
following message:

I was rather surprised to see that the key used to sign a release on December
26 expired on July 12. Is it legit?

$ curl | gpg --import
$ gpg --verify wget-1.20.1.tar.gz.sig
gpg: WARNING: using insecure memory!
gpg: please see for more information
gpg: Signature made December 26, 2018 at 08:12:51 PM UTC using RSA key ID
gpg: Good signature from "Tim Rühsen <address@hidden>"
gpg: Note: This key has expired!
Primary key fingerprint: 1CB2 7DBC 9861 4B2D 5841  646D 0830 2DB6 A267 0428

$ gpg --list-key A2670428
gpg: WARNING: using insecure memory!
gpg: please see for more information
pub   4096R/A2670428 2014-06-26 [expired: 2018-06-12]
uid                  Tim Rühsen <address@hidden>

So my key wasn't expired since 2016 but since 2018-06-12.

A possible quick solution would be to have a crontab daily/weekly checking for
soon-to-expire keys and to inform those people via an automated email
(including steps on how to update expiration date and how to upload to key
servers and how to update to Savannah).

Then a second crontab could check all GPG keys on a public key server. And
download those keys whose expiration date has been changed (e.g. it could be
that someone changed the expiration date from 'never' to a concrete future


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]