Date: Tue, 14 Dec 2021 11:15:06 +0000 From: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson <david@isnic.is> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: Expired key for signed checksums Message-ID: <Ybh8upUne144uHoI@mail> In-Reply-To: <bWUEdUuTXV6w6B9_zzdL2zv-lPbGvq6KPFEBa-XRYRkgTKqKZZgThkEzsi9NjYYJEud63EQq_tMq0N7gaSJ1nhIT0V5-Zu7ueGshKozaayA=@protonmail.com> References: <UP-f63qDEWMLjjb592fxz6MgOmqFHaqRw5N29C5MT7lEwW6rW_KQgbPq8YtndIiKHt536m3yk5CSSsbsdVrtTarWdicc_zIgoQoY2llBb4k=@protonmail.com> <20211104191742.GK69504@FreeBSD.org> <bWUEdUuTXV6w6B9_zzdL2zv-lPbGvq6KPFEBa-XRYRkgTKqKZZgThkEzsi9NjYYJEud63EQq_tMq0N7gaSJ1nhIT0V5-Zu7ueGshKozaayA=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--4IyCy8Ey7W0PJnCI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote: > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original = Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > On Thursday, November 4, 2021 7:17 PM, Glen Barber <gjb@freebsd.org> wrot= e: >=20 > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wrot= e: > > > > > Hello, > > > I am trying to verify the signed checksum file for FreeBSD 13, but th= e key that > > > gets checked is showing to be expired: > > > $ gpg --keyserver-options auto-key-retrieve \ > > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubunt= u.com > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing k= eys > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org" i= mported > > > gpg: no ultimately trusted keys found > > > gpg: Total number processed: 1 > > > gpg: imported: 1 > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > > gpg: Note: This key has expired! > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0B9= 46A3 > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E293 > > > It does not matter what keyserver I try, I get the same expiration me= ssage. Yet > > > I see the key expiration was bumped[0]. How would I go about getting = the updated > > > key? Or am I just going about this all wrong? > > > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd_o= rg > > > > Glen > Thank you Glen, and apologies for the extreme delay in acknowledging > your reply and my success at importing the key. I do appreciate you > having taken the time to reply, despite taking five weeks to say that. >=20 > :) >=20 I think the website could use some better guidance on this. That page has a lot of keys for a lot of people. Are they all trusted to sign FreeBSD releases? Assuming that they're not, it would be great if the signatures page were updated to include a list of keys that are expected to sign a release. https://www.freebsd.org/releases/13.0R/signatures/ I say this because I had problems finding this as well when writing our deployment automation. It's the reason why I did not automate grabbing new releases and verifying them, and still leave that as a manual human step. -Dav=C3=AD=C3=B0 --4IyCy8Ey7W0PJnCI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEvylfYbt7o3c60Grm/+HlKLuPmJoFAmG4fLoACgkQ/+HlKLuP mJrxcgf8DuejJv87oKg5vxub6RZNUh7n6wkxqqvPK3TZbOLZfwXQ9zcWOxv6eE6m Ysgl12QSvb9NofvY2hKLGavfOs6n4fK8mf0gJW6YpVr1Ch6ot1pWGv/AOH6lYThs /zbQugRw24nIVHKIXY0PZEgklHBaMab9GgqxCg1kHxpFjEOjZ9fH+aDhOVfn5ooC wCFQxOPJKbcvDMtLnLbgeUUM++hqgP1USUyDpsgtHcnk4VerP4EGV6mfCrO1lis0 RLSISlE+moFlEaG8gDjOJtVh8/Zl+Yri5YKGAkWaaxriQJvjlVTIa0EGeUVHzpLi aBsg9mK/Zm+jymxrrX2NHuQAfGtj1A== =DDnN -----END PGP SIGNATURE----- --4IyCy8Ey7W0PJnCI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Ybh8upUne144uHoI>