public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* setup-x86_64.exe gpg signing key expired?
@ 2022-09-02 21:47 Jim Garrison
  2022-09-02 22:25 ` Jon Turney
  0 siblings, 1 reply; 3+ messages in thread
From: Jim Garrison @ 2022-09-02 21:47 UTC (permalink / raw)
  To: cygwin

It appears the key expired 2022-02-26, so I presume this is known. I
bring it up on the slim chance it hasn't been noticed or reported yet.

$ gpg --verify setup-x86_64.exe.sig
gpg: assuming signed data in 'setup-x86_64.exe'
gpg: Signature made Fri, Jun 24, 2022 05:48:55 PDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: checking the trustdb
gpg: public key CCB2EB46E76CF6D0 is 35475 seconds newer than the signature
gpg: marginals needed: 3  completes needed: 1  trust model: classic
gpg: depth: 0  valid:   3  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   3  signed:   0  trust: 2-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2023-04-30
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made Fri, Jun 24, 2022 05:48:55 PDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300

...and...

$ gpg -k 56405CF6FCC81574682A5D561A698DE9E2E56300
pub   rsa4096 2020-02-27 [SC] [expired: 2022-02-26]
       56405CF6FCC81574682A5D561A698DE9E2E56300
uid           [ expired] Cygwin <cygwin@cygwin.com>

Cheers!

-- 
Jim Garrison
jhg@acm.org

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: setup-x86_64.exe gpg signing key expired?
  2022-09-02 21:47 setup-x86_64.exe gpg signing key expired? Jim Garrison
@ 2022-09-02 22:25 ` Jon Turney
  2022-09-02 22:45   ` Jim Garrison
  0 siblings, 1 reply; 3+ messages in thread
From: Jon Turney @ 2022-09-02 22:25 UTC (permalink / raw)
  To: jhg, The Cygwin Mailing List

On 02/09/2022 22:47, Jim Garrison via Cygwin wrote:
> It appears the key expired 2022-02-26, so I presume this is known. I
> bring it up on the slim chance it hasn't been noticed or reported yet.

Refetch the key from https://cygwin.com/key/pubring.asc or a keysever.

We periodically extend the expiration date and re-issue the key.

This avoids using a key without an expiration date, whilst also avoiding 
unnecessary key rotations when the initial expiration date is reached.

> $ gpg -k 56405CF6FCC81574682A5D561A698DE9E2E56300
> pub   rsa4096 2020-02-27 [SC] [expires: 2024-03-02]
>       56405CF6FCC81574682A5D561A698DE9E2E56300
> uid           [ultimate] Cygwin <cygwin@cygwin.com>
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: setup-x86_64.exe gpg signing key expired?
  2022-09-02 22:25 ` Jon Turney
@ 2022-09-02 22:45   ` Jim Garrison
  0 siblings, 0 replies; 3+ messages in thread
From: Jim Garrison @ 2022-09-02 22:45 UTC (permalink / raw)
  To: cygwin

On 09/02/22 15:25, Jon Turney wrote:
> On 02/09/2022 22:47, Jim Garrison via Cygwin wrote:
>> It appears the key expired 2022-02-26, so I presume this is known. I
>> bring it up on the slim chance it hasn't been noticed or reported yet.
> 
> Refetch the key from https://cygwin.com/key/pubring.asc or a keysever.
> 
> We periodically extend the expiration date and re-issue the key.
> 
> This avoids using a key without an expiration date, whilst also avoiding 
> unnecessary key rotations when the initial expiration date is reached.
> 
>> $ gpg -k 56405CF6FCC81574682A5D561A698DE9E2E56300
>> pub   rsa4096 2020-02-27 [SC] [expires: 2024-03-02]
>>       56405CF6FCC81574682A5D561A698DE9E2E56300
>> uid           [ultimate] Cygwin <cygwin@cygwin.com>
>>
> 

Got it, thanks.

-- 
Jim Garrison
jhg@acm.org

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-09-02 22:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-02 21:47 setup-x86_64.exe gpg signing key expired? Jim Garrison
2022-09-02 22:25 ` Jon Turney
2022-09-02 22:45   ` Jim Garrison

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).