[Savannah-register-public] [task #15140] Automatically updating GPG keys when expired

[Tim Ruehsen]

Follow-up Comment #2, task #15140 (project administration):

The report was "wget-1.20.1.tar.gz signed with expired key" and had the
following message:


I was rather surprised to see that the key used to sign a release on December
26 expired on July 12. Is it legit?

$ curl https://ftp.gnu.org/gnu/gnu-keyring.gpg | gpg --import
...
$ gpg --verify wget-1.20.1.tar.gz.sig
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made December 26, 2018 at 08:12:51 PM UTC using RSA key ID
A2670428
gpg: Good signature from "Tim Rühsen <address@hidden>"
gpg: Note: This key has expired!
Primary key fingerprint: 1CB2 7DBC 9861 4B2D 5841  646D 0830 2DB6 A267 0428

$ gpg --list-key A2670428
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
pub   4096R/A2670428 2014-06-26 [expired: 2018-06-12]
uid                  Tim Rühsen <address@hidden>


So my key wasn't expired since 2016 but since 2018-06-12.

A possible quick solution would be to have a crontab daily/weekly checking for
soon-to-expire keys and to inform those people via an automated email
(including steps on how to update expiration date and how to upload to key
servers and how to update to Savannah).

Then a second crontab could check all GPG keys on a public key server. And
download those keys whose expiration date has been changed (e.g. it could be
that someone changed the expiration date from 'never' to a concrete future
date).


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/task/?15140>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/