New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG signatures of releases made with an expired key #4307
Comments
It's strange, on July 2023 I was contacted by a package maintainer about exactly this issue and I published the updated key and was told everything was fine by then. |
Aha, yes! Thank you, I can see the updated key on the Ubuntu keyservers. That's not one of the places I tried looking last night. Note that the copy of your key registered with GitHub and the one included in the libuv repo are both still the expired version. See also #4306 which is more of a project-wide issue/question. |
The release tarballs at https://dist.libuv.org/dist/v1.48.0/ are signed with an expired key. 1.48.0 was released just yesterday, and yet:
This is the same key fingerprint listed for @santigimeno at
https://github.com/libuv/libuv/blob/v1.x/MAINTAINERS.md
, and stored in the repo via thepubkey-santigimeno
tag.However, it has expired:
Both the copy in the git repo, and the one at
https://github.com/santigimeno.gpg
agree on this expiration.Presumably the key has been edited and its expiration extended, or new signatures couldn't have been created. But I think the updated public key has never been propagated?
The text was updated successfully, but these errors were encountered: