Page MenuHome GnuPG
Create Task
Maniphest T6689

Prolonging expiration date strips old signatures, confusing RPM
Open, NormalPublic
Actions

Description

The copr build service is using gnupg2 to extend the validity of the signing keys using

gpg --edit-key
expire 5y
--export

sequence. The exported key contains only the new signature. This is likely ok for email usage, but it is problematic for RPM usage as we still want to keep trusting the signatures made before the validity extension without the need to re-sign everything.

It might be that copr is doing something wrong and there is other/better/preferred way to extend key validity using gpg tools so any help/pointer welcomed.

Details

External Link
https://bugzilla.redhat.com/show_bug.cgi?id=2235323
Version
2.4

Event Timeline

Jakuje created this task.Aug 29 2023, 12:46 PM
werner added a subscriber: werner.Aug 29 2023, 1:35 PM

gpg only uses the latest self-signatures and ignores old one. Thus I do not understand your problem.

werner added a comment.Aug 29 2023, 1:39 PM

BTW. you should use gpg --quick-set-expire FINGERPRINT 5y this is easier for scripting. Using
--export-options no-export-clean should keep the old signatures.

werner triaged this task as Normal priority.Aug 29 2023, 1:40 PM
werner edited projects, added Support; removed Bug Report.
praiskup added a subscriber: praiskup.Aug 29 2023, 2:40 PM

Thank you for the response, @werner! (original reporter here)

I tested these two commands:

$ gpg --export-options no-export-clean --export -a "$user"
$ gpg --export -a "$user"

But they both provide 1:1 the same output (even if not --armored)