Since 2007-11-23 there are no signatures for portages snapshots on the mirrors. The signing key with ID 7DDAD20D expired that date, so a new key is needed. Reproducible: Always
Who's responsible for the portage signing key? I've only got the release key.
a new key, or updating the expiry time of the existing key. portage team: how is the existing key bundled with Portage? If I update it, can you send out a new release with it right away?
The key isn't bundled in portage at all. We have a patch from bug 130039 to add gpg verification support to emerge-webrsync. It doesn't check which key the snapshot is signed with, only that it has a "trusted" signature. I suppose we should have a config option that will force it to use a specific key.
The new signing key is 0x239C75C4. It has been exported to several PGP keyserver networks. The old keys D8BA32AA (expired 2005/Nov/11), and 7DDAD20D (expired 2007/11/23) have been marked as revoked, with the revocation messages directing users to the new keys. Was there anywhere in CVS that we distributed the public side of these keys?
Is this one fixed then?
well - the critical part got fixed. anything left to be done?
(In reply to comment #3) > I suppose we > should have a config option that will force it to use a specific key. Anything done on this side? (In reply to comment #4) > The new signing key is 0x239C75C4. It has been exported to several PGP > keyserver networks. The old keys D8BA32AA (expired 2005/Nov/11), and 7DDAD20D > (expired 2007/11/23) have been marked as revoked, with the revocation messages > directing users to the new keys. > > Was there anywhere in CVS that we distributed the public side of these keys? > If there is no such place, perhaps add it somewhere?
(In reply to comment #7) > (In reply to comment #3) > > I suppose we > > should have a config option that will force it to use a specific key. > > Anything done on this side? Looking at the gpg manpage, I don't see any documented option that allows a specific key to be specified. I guess it doesn't matter as long as the signature is from a trusted key.
The keys are now documented on this page: http://www.gentoo.org/proj/en/releng/ I also updated the expiry date of the current snapshot key, so it's good for another 2 years from the previous date.