when someone's gpg key expires, repoman will make all the normal commits, and then the key issue will be noticed only when the manifest is regenerated. this leaves a window where the changes have been pushed up but not the manifest, and it could take some time for the dev to fix things. similarly, when a password is required, the user is prompted for it after the initial commit. we can really only handle this if people are using gpg-agent, as prompting for the key otherwise wont cache the result for the 2nd usage. so, if the user has PORTAGE_GPG_KEY set, repoman should, before making any commits, do the following: - verify the key is still valid (not expired) - if gpg-agent is available (look for env GPG_AGENT_INFO), attempt to use the key so the password prompt comes up before anything is committed
and if we can verify gpg-agent is active, make sure that the current signing settings will not result in a SHA1 digest. not sure if we could find this out just by running `gpg` itself though and asking for its current settings ...
once the commit has been done, it'd be good if repoman also checked for the expiration of the key. if it is coming up soon (like 1 week or something), issue a warning that their key is going to expire soon.
*** This bug has been marked as a duplicate of bug 298605 ***
