Following Fedora’s migration to Sequoia PGP, it seems that it isn’t possible to import an expired signing key anymore.
rpm --import https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public error: Certificate <CERT_ID>: The certificate is expired: The primary key is not live error: https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public: key 1 import failed.
I’d like to know what a third party can do to allow older versions of a package to be installed despite the expired GPG key. To be precise, the GPG key is expired but not revoked so it shouldn’t be an issue. One option I’m aware of would be to resign older packages but it involves changing the checksum of the package, which is a bad practice we’d like to avoid. Any suggestions ? Or is it an issue to redirect to rpm-sequoia directly ?
Hi Antoine, Antoine Zellmeyer via devel devel@lists.fedoraproject.org writes:
Following Fedora’s migration to Sequoia PGP, it seems that it isn’t possible to import an expired signing key anymore.
rpm --import https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public error: Certificate <CERT_ID>: The certificate is expired: The primary key is not live error: https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public: key 1 import failed.
I’d like to know what a third party can do to allow older versions of a package to be installed despite the expired GPG key. To be precise, the GPG key is expired but not revoked so it shouldn’t be an issue. One option I’m aware of would be to resign older packages but it involves changing the checksum of the package, which is a bad practice we’d like to avoid. Any suggestions ? Or is it an issue to redirect to rpm-sequoia directly ?
Thanks for identifying this issue and reporting it. In general, a certificate that has expired or been soft revoked (i.e., not compromised [1]) should still be able to verify signatures made before the certificate expired or was soft revoked. I've opened an issue in rpm-sequoia [2].
:) Neal
[1] https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.23 [2] https://github.com/rpm-software-management/rpm-sequoia/issues/59
Thanks ! I'll follow this issue. And sorry for the duplicate thread, double clicked on the send button by mistake and it seems to have created a duplicate ^^'
Hi Antoine
Antoine Zellmeyer via devel devel@lists.fedoraproject.org writes:
Thanks ! I'll follow this issue.
Great. I posted a fix. It would be helpful if you could test that it works for your case. Specifically, it would be helpful to hear back that it:
- imports the certificate, and - you are able to install packages signed by the expired certificate.
Note: you only need to rebuild rpm-sequoia; you don't have to rebuild rpm. When running rpm and rpmkeys, use LD_PRELOAD to override the library.
:) Neal
Hi Neal
Sorry for the late answer, It seems to be working :) I was able to import and install packages signed with this certificate.
Thanks again, Antoine
Antoine Zellmeyer via devel devel@lists.fedoraproject.org writes:
Sorry for the late answer, It seems to be working :) I was able to import and install packages signed with this certificate.
Thanks for confirming that it works as expected. I've made a new release of rpm-sequoia, which includes this fix. I expect that decathorpe will package it in the coming days.
:) Neal
-
Antoine Zellmeyer -
Neal H. Walfield