Skip to main content
Topic: Expired gpg key in nano PKGBUILD "validpgpkeys" field - is this normal or a bug? (Read 713 times) previous topic - next topic
0 Members and 3 Guests are viewing this topic.

Expired gpg key in nano PKGBUILD "validpgpkeys" field - is this normal or a bug?

I was building nano from the binary package PKGBUILD, but couldn't import one of the keys until I added an extra keyserver to my /etc/pacman.d/gnupg/gpg.conf, the build seemed to require all of the listed keys to be imported, not one or the other.

keyserver keys.openpgp.org
keyserver keys.gnupg.net

But is it normal to have an expired key from a developer in a PKGBUILD alongside the current one, perhaps as some kind of fallback, or should it be reported as a bug upstream if it was some kind of forgotten relic?

https://github.com/archlinux/svntogit-packages/blob/packages/nano/trunk/PKGBUILD

Code: [Select]
$ gpg --list-keys
(edit)
pub   dsa1024 2003-04-29 [SCA]
      8DA6FE7BFA7A418AB3CB2354BCB356DF91009FA7
uid           [ unknown] Chris Allegretta <[email protected]>
sub   elg1024 2003-04-29 [E]

pub   rsa2048 2016-06-17 [SC] [expired: 2018-06-17]
      A7F6A64A67DA09EF92782DD79DF4862AF1175C5B
uid           [ expired] Benno Schulenberg <[email protected]>

pub   rsa4096 2017-12-31 [SCA] [expires: 2022-12-30]
      BFD009061E535052AD0DF2150D28D4D2A0ACE884
uid           [ unknown] Benno Schulenberg <[email protected]>
sub   rsa4096 2017-12-31 [E] [expires: 2022-12-30]

(There are 2 keys for Benno, but one has expired.)


EDIT:
https://www.nano-editor.org/download.php

Code: [Select]
$ gpg --verify nano-6.0.tar.xz.asc nano-6.0.tar.xz
gpg: Signature made Wed 15 Dec 2021 11:28:55 AM GMT
gpg:                using RSA key BFD009061E535052AD0DF2150D28D4D2A0ACE884
gpg: Good signature from "Benno Schulenberg <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BFD0 0906 1E53 5052 AD0D  F215 0D28 D4D2 A0AC E884

$ gpg --verify nano-6.0.tar.gz.asc nano-6.0.tar.gz
gpg: Signature made Wed 15 Dec 2021 11:28:30 AM GMT
gpg:                using RSA key BFD009061E535052AD0DF2150D28D4D2A0ACE884
gpg: Good signature from "Benno Schulenberg <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BFD0 0906 1E53 5052 AD0D  F215 0D28 D4D2 A0AC E884

It looks like the actual source code is signed using only Benno Schulenberg's current key, so probably the other ones could be taken out of the PKGBUILD to save hunting around for a keyserver that still contains them so the package builds cleanly, they seem to have become obsolete now, unless there was some other reason to keep them in there? Presumably if earlier versions of the source were being built then the git archive for the PKGBUILD to create that version would still contain the relevant keys?

Re: Expired gpg key in nano PKGBUILD "validpgpkeys" field - is this normal or a bug?

Reply #1
Quote from: ####### – on
But is it normal to have an expired key from a developer in a PKGBUILD alongside the current one, perhaps as some kind of fallback, or should it be reported as a bug upstream if it was some kind of forgotten relic?
I'd try asking this same question where it is relevant and can be answered by the original developers (Arch forums and upstream).

Re: Expired gpg key in nano PKGBUILD "validpgpkeys" field - is this normal or a bug?

Reply #2
Thank you for the confirmation of my suspicions in this regard, I have done so now.