Regarding the expiration of the signed data in npth-1.6.tar.bz2

Bernhard Reiter bernhard at intevation.de
Tue Feb 6 17:51:43 CET 2024


Hi Witchy,

Am Samstag 03 Februar 2024 15:35:20 schrieb witchy via Gnupg-users:
> I am trying to install npth which is needed to build gpg.
> I noticed that the npth signature data has expired.

that is okay, if you downloaded stuff from 
https://www.gnupg.org/download/index.html
  	nPth	1.6	2018-07-16	293k	download	download
  
LANG=C gpg --verify npth-1.6.tar.bz2.sig
gpg: assuming signed data in 'npth-1.6.tar.bz2'
gpg: Signature made Mon Jul 16 09:37:23 2018 CEST
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [expired]
gpg: Note: This key has expired!

That messsage shows that the signature is fine at the time it was made
in principle.

You can additionally check the pubkey:
LANG=C gpg -kv "D8692123C4065DEA5E0F3AB5249B39D24F25E3B6"
gpg: Note: signature key 249B39D24F25E3B6 expired Fri Dec 31 12:00:07 2021 CET
pub   rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expired: 2021-12-31]
      D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
uid                 [ expired] Werner Koch (dist sig)
sub   rsa2048/F58A5868AC87C71A 2011-01-12 [A] [expired: 2019-12-31]

That should be good enough.

> Is it possible to have it signed again?

At least if a new release is done, that release would be freshly signed.
So far I haven't seen renewed signatures from GnuPG devs, which makes it 
unlikely they sign the nPth release from 2018 again.

Regards,
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240206/7c2720ca/attachment.sig>


More information about the Gnupg-users mailing list