[Rpm-maint] [rpm-software-management/rpm] RPM distrusts signatures done by previous versions of prolonged keys (Issue #2619)
Pavel Raiskup
notifications at github.com
Thu Aug 17 07:39:03 UTC 2023
In Copr, we "prolong" the expiration time of GPG keys with `gpg --edit-key`, with `expire` => `5y` => `save` commands. See the [Copr issue](https://github.com/fedora-copr/copr/issues/2878) for more info. After this action, RPM stops trusting all the signatures done _before_ the time of `gpg --edit-key` action, if checked with the updated pub key.
Steps to reproduce with prebuilt packages in Fedora Copr:
1. Import the key, note the validity seems to be from 2019-08-15 to 2028-08-12:
```
$ curl https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/pubkey.gpg > the-key
$ gpg the-key
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2019-08-15 [SCEA] [expires: 2028-08-12]
3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456
uid iucar_cran (None) <iucar#cran at copr.fedorahosted.org>
$ rpm --import the-key
```
2. Verify the key:
```
$ rpm -v -K https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/R-CoprManager-0.5.4-1.fc38.copr6265747.noarch.rpm
https://download.copr.fedorainfracloud.org/archive/issues/copr-issue-2878/R-CoprManager-0.5.4-1.fc38.copr6265747.noarch.rpm:
error: Verifying a signature using certificate 3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456 (iucar_cran (None) <iucar#cran at copr.fedorahosted.org>):
1. Certificate 9D60CBB71A3B4456 invalid: policy violation
because: No binding signature at time 2023-08-11T08:00:22Z
2. Certificate has no valid binding signature as of the signature's creation time, but is valid now. The certificate has probably been stripped or minimized.
error: Verifying a signature using certificate 3124D2EF76DA4D972F6BE4AC9D60CBB71A3B4456 (iucar_cran (None) <iucar#cran at copr.fedorahosted.org>):
1. Certificate 9D60CBB71A3B4456 invalid: policy violation
because: No binding signature at time 2023-08-11T08:00:22Z
2. Certificate has no valid binding signature as of the signature's creation time, but is valid now. The certificate has probably been stripped or minimized.
Header V4 RSA/SHA256 Signature, key ID 1a3b4456: NOTTRUSTED
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID 1a3b4456: NOTTRUSTED
MD5 digest: OK
```
It is not quite obvous what to do about this. This seems like a too pedantic
policy requirement, or is the key prolonged a wrong way?
Reproducible both with Rawhide and 38. But the RPM package versions on Rawhide are here:
```
rpm-sequoia-1.4.1-2.fc39.x86_64
rpm-libs-4.18.92-1.fc39.x86_64
rpm-build-libs-4.18.92-1.fc39.x86_64
rpm-sign-libs-4.18.92-1.fc39.x86_64
python3-rpm-4.18.92-1.fc39.x86_64
rpm-4.18.92-1.fc39.x86_64
```
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2619
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2619 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230817/720d053a/attachment.html>
More information about the Rpm-maint
mailing list