24106 – Mageia gpg release key has expired

Bug 24106 - Mageia gpg release key has expired

Summary: Mageia gpg release key has expired

Status:	RESOLVED FIXED

Alias:	None

Product:	Infrastructure
Classification:	Unclassified
Component:	BuildSystem (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Sysadmin Team
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-01-01 05:02 CET by Dave Hodgins
Modified:	2019-02-15 04:49 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dave Hodgins 2019-01-01 05:02:08 CET

[dave@x3 ~]$ gpg --recv-keys EDCA7A90
gpg: requesting key EDCA7A90 from hkp server pool.sks-keyservers.net
gpg: key EDCA7A90: "Mageia Release <release@mageia.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
[dave@x3 ~]$ gpg --list-key EDCA7A90
pub   4096R/EDCA7A90 2012-04-18 [expired: 2018-12-17]
uid                  Mageia Release <release@mageia.org>

Comment 1 Dave Hodgins 2019-01-01 05:32:29 CET

Just in case you're not familiar with it, someone with the private key
has to run "gpg --edit-key 0xEDCA7A90" then enter the command "expire",
then follow the prompts, including entering the passphrase.

After updating on your local keyring, send it to a key server, for example
gpg --keyserver pool.sks-keyservers.net --send-keys 0xEDCA7A90

Comment 2 Martin Whitaker 2019-01-03 22:21:14 CET

Sorry, I don't have the private key. I guess this is a sysadmin task.

CC: sysadmin-bugs => mageia
Assignee: mageia => sysadmin-bugs

Comment 3 Thomas Backlund 2019-01-15 00:53:53 CET

key updated and pushed... it will take a little time before all keyservers gets the update

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => tmb

Comment 4 Dave Hodgins 2019-01-22 20:34:42 CET

Updated key still hasn't shown up on any of the key servers I've checked ...
https://pgp.key-server.io
http://keyserver.ubuntu.com
https://pgp.mit.edu
http://keys.gnupg.net
http://pool.sks-keyservers.net
http://keyserver.pgp.com

Which server was it uploaded to?

While uploading to any of the servers is supposed to eventually sync with all
of them, I find it best to upload a new or changed key to several of them.

If you could run "gpg --export --armor 0xEDCA7A90>release@mageia.org.asc" and
then attach that file to this bug report, I'll upload it to the above servers.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 5 Dave Hodgins 2019-01-22 20:52:31 CET

I also noticed that the packages key has expired too. While it's clear that
rpm ignores the expiry date, it would probably be a good idea to update it too.
$ gpg --list-keys packages@mageia.org
pub   4096R/80420F66 2011-02-07 [expired: 2018-03-15]
uid                  Mageia Packages <packages@mageia.org>

$ rpm -qi gpg-pubkey-80420f66-4d4fe123|grep -i rpm 
Source RPM  : (none)
Version: rpm-4.9.1.3 (NSS-3)

I'm guessing it would require an update of the package rpm itself, to distribute
the updated key.

Comment 6 Dave Hodgins 2019-02-15 04:49:09 CET

Finally found that the update key is now available. Thanks.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.