Expired gpg key in nano PKGBUILD "validpgpkeys" field - is this normal or a bug?
I was building nano from the binary package PKGBUILD, but couldn't import one of the keys until I added an extra keyserver to my /etc/pacman.d/gnupg/gpg.conf, the build seemed to require all of the listed keys to be imported, not one or the other.
keyserver keys.openpgp.org
keyserver keys.gnupg.net
But is it normal to have an expired key from a developer in a PKGBUILD alongside the current one, perhaps as some kind of fallback, or should it be reported as a bug upstream if it was some kind of forgotten relic?
https://github.com/archlinux/svntogit-packages/blob/packages/nano/trunk/PKGBUILD
$ gpg --list-keys
(edit)
pub dsa1024 2003-04-29 [SCA]
8DA6FE7BFA7A418AB3CB2354BCB356DF91009FA7
uid [ unknown] Chris Allegretta <[email protected]>
sub elg1024 2003-04-29 [E]
pub rsa2048 2016-06-17 [SC] [expired: 2018-06-17]
A7F6A64A67DA09EF92782DD79DF4862AF1175C5B
uid [ expired] Benno Schulenberg <[email protected]>
pub rsa4096 2017-12-31 [SCA] [expires: 2022-12-30]
BFD009061E535052AD0DF2150D28D4D2A0ACE884
uid [ unknown] Benno Schulenberg <[email protected]>
sub rsa4096 2017-12-31 [E] [expires: 2022-12-30]
(There are 2 keys for Benno, but one has expired.)
EDIT:
https://www.nano-editor.org/download.php
$ gpg --verify nano-6.0.tar.xz.asc nano-6.0.tar.xz
gpg: Signature made Wed 15 Dec 2021 11:28:55 AM GMT
gpg: using RSA key BFD009061E535052AD0DF2150D28D4D2A0ACE884
gpg: Good signature from "Benno Schulenberg <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BFD0 0906 1E53 5052 AD0D F215 0D28 D4D2 A0AC E884
$ gpg --verify nano-6.0.tar.gz.asc nano-6.0.tar.gz
gpg: Signature made Wed 15 Dec 2021 11:28:30 AM GMT
gpg: using RSA key BFD009061E535052AD0DF2150D28D4D2A0ACE884
gpg: Good signature from "Benno Schulenberg <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BFD0 0906 1E53 5052 AD0D F215 0D28 D4D2 A0AC E884
It looks like the actual source code is signed using only Benno Schulenberg's current key, so probably the other ones could be taken out of the PKGBUILD to save hunting around for a keyserver that still contains them so the package builds cleanly, they seem to have become obsolete now, unless there was some other reason to keep them in there? Presumably if earlier versions of the source were being built then the git archive for the PKGBUILD to create that version would still contain the relevant keys?