[Rpm-maint] [rpm-software-management/rpm] RPM distrusts signatures done by previous versions of prolonged keys (Issue #2619)

Pavel Raiskup notifications at github.com
Thu Aug 17 07:39:03 UTC 2023


In Copr, we "prolong" the expiration time of GPG keys with `gpg --edit-key`, with `expire` => `5y` => `save` commands.  See the [Copr issue](https://github.com/fedora-copr/copr/issues/2878) for more info.  After this action, RPM stops trusting all the signatures done _before_ the time of `gpg --edit-key` action, if checked with the updated pub key.

Steps to reproduce with prebuilt packages in Fedora Copr:

1. Import the key, note the validity seems to be from 2019-08-15 to 2028-08-12:

    ```
    $ curl https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/pubkey.gpg > the-key
    $ gpg the-key
    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub   rsa2048 2019-08-15 [SCEA] [expires: 2028-08-12]
          3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456
    uid           iucar_cran (None) <iucar#cran at copr.fedorahosted.org>
    $ rpm --import the-key
    ```

2. Verify the key:

    ```
    $ rpm -v -K https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/R-CoprManager-0.5.4-1.fc38.copr6265747.noarch.rpm
    https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/R-CoprManager-0.5.4-1.fc38.copr6265747.noarch.rpm:
    error: Verifying a signature using certificate 3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456 (iucar_cran (None) <iucar#cran at copr.fedorahosted.org>):
      1. Certificate 9D60CBB71A3B4456 invalid: policy violation
          because: No binding signature at time 2023-08-11T08:00:22Z
      2. Certificate has no valid binding signature as of the signature's creation time, but is valid now.  The certificate has probably been stripped or minimized.
    error: Verifying a signature using certificate 3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456 (iucar_cran (None) <iucar#cran at copr.fedorahosted.org>):
      1. Certificate 9D60CBB71A3B4456 invalid: policy violation
          because: No binding signature at time 2023-08-11T08:00:22Z
      2. Certificate has no valid binding signature as of the signature's creation time, but is valid now.  The certificate has probably been stripped or minimized.
        Header V4 RSA/SHA256 Signature, key ID 1a3b4456: NOTTRUSTED
        Header SHA256 digest: OK
        Header SHA1 digest: OK
        Payload SHA256 digest: OK
        V4 RSA/SHA256 Signature, key ID 1a3b4456: NOTTRUSTED
        MD5 digest: OK
    ```

It is not quite obvous what to do about this.  This seems like a too pedantic
policy requirement, or is the key prolonged a wrong way?

Reproducible both with Rawhide and 38.  But the RPM package versions on Rawhide are here:
```
rpm-sequoia-1.4.1-2.fc39.x86_64
rpm-libs-4.18.92-1.fc39.x86_64
rpm-build-libs-4.18.92-1.fc39.x86_64
rpm-sign-libs-4.18.92-1.fc39.x86_64
python3-rpm-4.18.92-1.fc39.x86_64
rpm-4.18.92-1.fc39.x86_64
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2619
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2619 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230817/720d053a/attachment.html>


More information about the Rpm-maint mailing list