Page MenuHome GnuPG

Prolonging expiration date strips old signatures, confusing RPM
Open, NormalPublic


The copr build service is using gnupg2 to extend the validity of the signing keys using

gpg --edit-key
expire 5y

sequence. The exported key contains only the new signature. This is likely ok for email usage, but it is problematic for RPM usage as we still want to keep trusting the signatures made before the validity extension without the need to re-sign everything.

It might be that copr is doing something wrong and there is other/better/preferred way to extend key validity using gpg tools so any help/pointer welcomed.


Event Timeline

gpg only uses the latest self-signatures and ignores old one. Thus I do not understand your problem.

BTW. you should use gpg --quick-set-expire FINGERPRINT 5y this is easier for scripting. Using
--export-options no-export-clean should keep the old signatures.

werner triaged this task as Normal priority.Tue, Aug 29, 1:40 PM
werner edited projects, added Support; removed Bug Report.

Thank you for the response, @werner! (original reporter here)

I tested these two commands:

$ gpg --export-options no-export-clean --export -a "$user"
$ gpg --export -a "$user"

But they both provide 1:1 the same output (even if not --armored)