Regarding the expiration of the signed data in npth-1.6.tar.bz2

Jakob Bohm jb-gnumlists at wisemo.com
Mon Feb 5 15:01:52 CET 2024


On 2024-02-03 17:31, Bruce Walzer wrote:
> On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote:
> [...]
>> I noticed that the npth signature data has expired.
> Why is anyone signing software with expiring keys anyway? I have
> ranted against the practice of PGP key expiry in general[1] but this
> seems particularly harmful. GnuPG contributes to this problem by
> generating expiring keys by default.
>
> [1] https://articles.59.ca/doku.php?id=pgpfan:expire
>
>
Some software signing systems handle this by adding a trusted timestamp
signature telling signature checkers to check validity "as of" the
certified timestamp.  This is particularly common for X.509 signature
systems where the certificates themselves expire every few years .
There is an RFC for how to do it and I have figured out how it is actually
done for proprietary Microsoft formats (its only a few deviations from
the RFCs implemented by gpgsm).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded




More information about the Gnupg-users mailing list