From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jhg@jhmg.net>
Received: from smtp.jhmg.net (smtp.jhmg.net [147.182.185.113])
	by sourceware.org (Postfix) with ESMTPS id 0E6B73858D1E
	for <cygwin@cygwin.com>; Fri,  2 Sep 2022 21:47:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0E6B73858D1E
Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=jhmg.net
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=jhmg.net
Received: from [192.168.10.7] (c-98-232-160-103.hsd1.or.comcast.net [98.232.160.103])
	(Authenticated sender: jhg)
	by smtp.jhmg.net (Postfix) with ESMTPSA id 5AF4760849
	for <cygwin@cygwin.com>; Fri,  2 Sep 2022 21:47:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=jhmg.net; s=smtp;
	t=1662155272; bh=VQY0wnls48zXZ6qmuC5ltZzVIyWuL0JRhX76Afbf5Qo=;
	h=Date:Reply-To:To:From:Subject:From;
	b=jr38TM/Tyuli3SU/STTxyS87aTEEIn9TCsOdYiHNHrRdNRZ6uZoPn+ubgUUvkL0EI
	 p2H2lRUlfwdo7SSjIjlVV5dK5IVCSQEaRwvMgWd5SmggbWLIiAolNT1Bd1N1R5hVEm
	 hIN5zzDGxWFZK3avti2062GM1kabWP957qLF6zOw=
Message-ID: <4fc205ea-6501-c983-297b-97610d39e9c7@jhmg.net>
Date: Fri, 2 Sep 2022 14:47:51 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Firefox/91.0 Thunderbird/91.13.0
Reply-To: jhg@acm.org
Content-Language: en-US
To: cygwin@cygwin.com
From: Jim Garrison <jhg@jhmg.net>
Subject: setup-x86_64.exe gpg signing key expired?
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin.cygwin.com>

It appears the key expired 2022-02-26, so I presume this is known. I
bring it up on the slim chance it hasn't been noticed or reported yet.

$ gpg --verify setup-x86_64.exe.sig
gpg: assuming signed data in 'setup-x86_64.exe'
gpg: Signature made Fri, Jun 24, 2022 05:48:55 PDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: checking the trustdb
gpg: public key CCB2EB46E76CF6D0 is 35475 seconds newer than the signature
gpg: marginals needed: 3  completes needed: 1  trust model: classic
gpg: depth: 0  valid:   3  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   3  signed:   0  trust: 2-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2023-04-30
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [full]
gpg: Signature made Fri, Jun 24, 2022 05:48:55 PDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300

...and...

$ gpg -k 56405CF6FCC81574682A5D561A698DE9E2E56300
pub   rsa4096 2020-02-27 [SC] [expired: 2022-02-26]
       56405CF6FCC81574682A5D561A698DE9E2E56300
uid           [ expired] Cygwin <cygwin@cygwin.com>

Cheers!

-- 
Jim Garrison
jhg@acm.org