566786 – app-crypt/gentoo-keys: two of the keys are expired: 0xBB572E0E2D182910 and 0xDB6B8C1F96D8BF6D

Bug 566786 - app-crypt/gentoo-keys: two of the keys are expired: 0xBB572E0E2D182910 and 0xDB6B8C1F96D8BF6D

Summary: app-crypt/gentoo-keys: two of the keys are expired: 0xBB572E0E2D182910 and 0x...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	gentoo-keys (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo-keys project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-25 10:06 UTC by Tomás F.
Modified:	2015-11-26 03:11 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomás F. 2015-11-25 10:06:05 UTC

The ebuild app-crypt/gentoo-keys has the keys 0xBB572E0E2D182910 and 0xDB6B8C1F96D8BF6D expired:

gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --with-fingerprint --list-keys
gpg: WARNING: unsafe permissions on homedir `/var/lib/gentoo/gkeys/keyrings/gentoo/release'
/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
---------------------------------------------------------
pub   4096R/F6CD6C97 2014-10-03 [expires: 2017-09-17]
      Key fingerprint = D2DE 1DBB A0F4 3EBA 341B  97D8 8255 33CB F6CD 6C97
uid       [ unknown] Gentoo-keys Team <gkeys@gentoo.org>
sub   4096R/151C3FC7 2014-10-03 [expires: 2017-09-17]

pub   1024D/17072058 2004-07-20 [expires: 2016-08-13]
      Key fingerprint = D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058
uid       [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>
sub   2048g/1415B4ED 2004-07-20 [expires: 2016-08-13]

pub   4096R/96D8BF6D 2011-11-25 [expired: 2015-11-24]
      Key fingerprint = DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
uid       [ expired] Gentoo Portage Snapshot Signing Key (Automated Signing Key)

pub   4096R/2D182910 2009-08-25 [expired: 2015-08-24]
      Key fingerprint = 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
uid       [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

Comment 1 Robin Johnson archtester

2015-11-26 01:16:12 UTC

You need to use a newer mirror, as the keys have been updated already by infra, and uploaded to public keyservers.
$ gpg --list-keys 0xBB572E0E2D182910 0xDB6B8C1F96D8BF6D
pub   rsa4096/0xBB572E0E2D182910 2009-08-25 [expires: 2017-08-25]
uid                 [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

pub   rsa4096/0xDB6B8C1F96D8BF6D 2011-11-25 [expires: 2016-07-01]
uid                 [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sub   rsa4096/0xEC590EEAC9189250 2011-11-25 [expires: 2016-07-01]

Comment 2 Brian Dolbec (RETIRED) gentoo-dev

2015-11-26 02:21:51 UTC

Sorry, but we have not automated the refreshing of the keyring yet.  Plus it never occurred to me that the binary keyring needed updating after the resetting of some of those keys.

if you have gkeys installed, (you might need gkeys-9999):

gkeys refresh-key -C gentoo


That will update all the keys in that category of keyrings.  There is no need to re-install the gentoo-keys keyring.
I'll refresh the binary keyring that is installed.

I'll hopefully have the next version of gkeys out this weekend too.  I just have a little more testing to do, plus make the cron jobs to install that will re-fresh the keyrings automatically.

Comment 3 Brian Dolbec (RETIRED) gentoo-dev

2015-11-26 03:11:49 UTC

OK, app-crypy/gentoo-keys-201511260245 is in the tree, replacing the old version.

It will be available on the mirrors in the next few hours.

You can update it with the ebuild or the method I described in the previous post.