Bug #2931
Updated by bill-auger over 3 years ago
this is a recurring problem that happens whenever a signing key is expired and renewed - it causes pacman to reject packages with verified valid signatures, even after the signing key is renewed, and even after the keyring package is rebuilt renewed - it is not obvious why it should do so, or which software is governing that behavior, making it be so, eg: the keyring package or its build process, the packaging metadata, process, or some interaction between pacman/gpg
we have tried removing the identity of the person with the expired key from the keyring (the normal way, per hackers.git), then re-adding it; but that did not help - most of the experiments have been focussed on the keyring package build process - lately i am looking towards other explanations
some experiments to try:
1) simply replace the signatures with new ones
2) run librerelease on the packages again
3) rebuild the packages
4) rebuild the keyring, with the signing key specified in hackers.git, instead of, or in addition to, the master key
my current theory, is that perhaps this is all expected behavior, and pacman-key is doing the thing right, but doing the wrong thing, by considering preferring (intentionally or not) to consider valid signatures from a presently expired key kwy to be unacceptable - invalid that is would presumably be due to the gpg exit status, although the program reports that it is a "good signature" - however that still would not explain why the warning /rejection persists after the key is renewed then the keyring package is rebuilt
pacman-key should consider the "good signature" per gpg to be of greater significance than the expiry date, and sufficient for package signature verification, unless the key was revoked -
the expiry notice is a less significant than a warning, indicating no problem with the primary functionality in question: verifying the integrity/authenticity of a file/signature pair - if it were an invalid signature, or any error condition at all, i would expect: "Note:", would be rather like "Warning:", "Important!:", "Error:", etc
worse though, pacman indicates to the user, that the key has "unknown trust", which is misleading - it has exactly the same trust as before the expiry date, because nothing has changed - gpg is not reporting any error, and is not indicating any fault with the package verification - it is entirely a web-of-trust concern
it is a friendly reminder to the user, to contact this person, asking for that signature to be renewed, if the file in question is still valuable - if that person does not respond, nor extend the expiry, only then would it have a potential to become problematic - again, purely a web-of-trust or team management problem though - the package will always be faithfully verifiable just as the day it was published
we have tried removing the identity of the person with the expired key from the keyring (the normal way, per hackers.git), then re-adding it; but that did not help - most of the experiments have been focussed on the keyring package build process - lately i am looking towards other explanations
some experiments to try:
1) simply replace the signatures with new ones
2) run librerelease on the packages again
3) rebuild the packages
4) rebuild the keyring, with the signing key specified in hackers.git, instead of, or in addition to, the master key
my current theory, is that perhaps this is all expected behavior, and pacman-key is doing the thing right, but doing the wrong thing, by considering preferring (intentionally or not) to consider valid signatures from a presently expired key kwy to be unacceptable - invalid that is would presumably be due to the gpg exit status, although the program reports that it is a "good signature" - however that still would not explain why the warning /rejection persists after the key is renewed then the keyring package is rebuilt
pacman-key should consider the "good signature" per gpg to be of greater significance than the expiry date, and sufficient for package signature verification, unless the key was revoked -
the expiry notice is a less significant than a warning, indicating no problem with the primary functionality in question: verifying the integrity/authenticity of a file/signature pair - if it were an invalid signature, or any error condition at all, i would expect: "Note:", would be rather like "Warning:", "Important!:", "Error:", etc
worse though, pacman indicates to the user, that the key has "unknown trust", which is misleading - it has exactly the same trust as before the expiry date, because nothing has changed - gpg is not reporting any error, and is not indicating any fault with the package verification - it is entirely a web-of-trust concern
it is a friendly reminder to the user, to contact this person, asking for that signature to be renewed, if the file in question is still valuable - if that person does not respond, nor extend the expiry, only then would it have a potential to become problematic - again, purely a web-of-trust or team management problem though - the package will always be faithfully verifiable just as the day it was published