Release 0.8.0 signed with expired key

[ErickStaal]

When trying to verify the new package

gpg --verify cni-plugins-linux-amd64-v0.8.0.tgz.asc cni-plugins-linux-amd64-v0.8.0.tgz

I get the following output:

gpg: Signature made Fri 10 May 2019 01:47:15 PM CEST using RSA key ID 3F1B2C87
gpg: Good signature from "CoreOS Application Signing Key security@coreos.com"
gpg: Note: This key has expired!
Primary key fingerprint: 18AD 5014 C99E F7E3 BA5F 6CE9 50BD D3E0 FC8A 365E
Subkey fingerprint: 5B10 53CE 38EA 2E0F EB95 6C05 95BC 5E3F 3F1B 2C87

The issue is thus that the package is signed with an expired GPG key.

[squeed]

Thanks for verifying our gpg signatures :-)

This key in particular has had its expiration date changed. You should get the new one with a simple gpg --recv-key.

[ErickStaal]

Given your suggestion I performed the following. When executing

gpg --keyserver pool.sks-keyservers.net --search-keys security@coreos.com

The following output is generated:

(1) CoreOS Application Signing Key security@coreos.com
4096 bit RSA key FC8A365E, created: 2016-03-02, expires: 2021-03-01
(2) CoreOS Security Team security@coreos.com
4096 bit RSA key 068CDF28, created: 2013-05-09
(3) CoreOS Security Team security@coreos.com
2048 bit RSA key 7E7E99BA, created: 2013-04-25, expires: 2013-04-29 (revoked) (expired)

The key 3F1B2C87 is a subkey of FC8A365E. This subkey is used on May 10th to sign the cni-plugins package.

However, doing a list-keys after the recv-keys gets me:

gpg --with-colons --list-keys FC8A365E

tru::1:1557778747:1678976326:3:1:5
pub:-:4096:1:50BDD3E0FC8A365E:2016-03-02:2021-03-01::-:CoreOS Application Signing Key security@coreos.com::cC:
sub:e:2048:1:95BC5E3F3F1B2C87:2016-03-02:2019-03-02:::::s:
sub:e:2048:1:A6F71EE5BEDDBA18:2016-03-08:2019-03-08:::::s:
sub:e:2048:1:F804F4137EF48FD3:2016-03-08:2019-03-08:::::s:
sub:e:4096:1:CDDE268EBB729EC7:2017-03-08:2019-03-08:::::s:

If I read this correctly there aren't any usable subkeys (for signing) anymore available after March 8th, 2019, and the cni-plugins package is signed May 10th.
Am I not receiving the latest (valid) subkey or is something else wrong? (but still: the package is signed with an unusable subkey).

[justaugustus]

@squeed -- Is this verified to be an issue/non-issue?
I'd love to bump the kubernetes-cni package versions before we cut 1.15, but would want some verification from you on this before doing so.

[squeed]

@justaugustus This should be fixed, for sure. I'm not sure that the updated key made it to the sks keyservers, but it's there now:

$ gpg2 --recv-key FC8A365E
gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key <security@coreos.com>" imported

$ gpg2 --list-sigs
pub   rsa4096 2016-03-02 [C] [expires: 2021-03-01]
      18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
uid           [ unknown] CoreOS Application Signing Key <security@coreos.com>
<signatures elided...>
sig 3        50BDD3E0FC8A365E 2016-03-02  CoreOS Application Signing Key <security@coreos.com>
sub   rsa2048 2016-03-02 [S] [expires: 2021-01-29]
sig          50BDD3E0FC8A365E 2019-03-11  CoreOS Application Signing Key <security@coreos.com>
sub   rsa2048 2016-03-08 [S] [expires: 2021-01-29]
sig          50BDD3E0FC8A365E 2019-03-11  CoreOS Application Signing Key <security@coreos.com>
sub   rsa4096 2017-03-08 [S] [expires: 2021-01-29]
sig          50BDD3E0FC8A365E 2019-03-11  CoreOS Application Signing Key <security@coreos.com>

[squeed]

also @justaugustus let us release 0.8.1, which should be out tomorrow. A few small bugs crept in.

[baude]

the libpod project would greatly appreciate a 0.8.1 release

[justaugustus]

Thanks so much for the update, @squeed! Keep us posted on the 0.8.1 cut. :)

[squeed]

We have our usual weekly maintainer's meeting this afternoon CEST; we'll do the cut right afterwards.