-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 0.8.0 signed with expired key #317
Comments
Thanks for verifying our gpg signatures :-) This key in particular has had its expiration date changed. You should get the new one with a simple |
Given your suggestion I performed the following. When executing gpg --keyserver pool.sks-keyservers.net --search-keys security@coreos.com The following output is generated: (1) CoreOS Application Signing Key security@coreos.com The key 3F1B2C87 is a subkey of FC8A365E. This subkey is used on May 10th to sign the cni-plugins package. However, doing a list-keys after the recv-keys gets me: gpg --with-colons --list-keys FC8A365E tru::1:1557778747:1678976326:3:1:5 If I read this correctly there aren't any usable subkeys (for signing) anymore available after March 8th, 2019, and the cni-plugins package is signed May 10th. |
@squeed -- Is this verified to be an issue/non-issue? |
@justaugustus This should be fixed, for sure. I'm not sure that the updated key made it to the sks keyservers, but it's there now:
|
also @justaugustus let us release 0.8.1, which should be out tomorrow. A few small bugs crept in. |
the libpod project would greatly appreciate a 0.8.1 release |
Thanks so much for the update, @squeed! Keep us posted on the 0.8.1 cut. :) |
We have our usual weekly maintainer's meeting this afternoon CEST; we'll do the cut right afterwards. |
When trying to verify the new package
gpg --verify cni-plugins-linux-amd64-v0.8.0.tgz.asc cni-plugins-linux-amd64-v0.8.0.tgz
I get the following output:
gpg: Signature made Fri 10 May 2019 01:47:15 PM CEST using RSA key ID 3F1B2C87
gpg: Good signature from "CoreOS Application Signing Key security@coreos.com"
gpg: Note: This key has expired!
Primary key fingerprint: 18AD 5014 C99E F7E3 BA5F 6CE9 50BD D3E0 FC8A 365E
Subkey fingerprint: 5B10 53CE 38EA 2E0F EB95 6C05 95BC 5E3F 3F1B 2C87
The issue is thus that the package is signed with an expired GPG key.
The text was updated successfully, but these errors were encountered: