GPG signatures of releases made with an expired key

[hlein]

The release tarballs at https://dist.libuv.org/dist/v1.48.0/ are signed with an expired key. 1.48.0 was released just yesterday, and yet:

$ gpg --verify libuv-v1.48.0-dist.tar.gz.sign libuv-v1.48.0-dist.tar.gz
gpg: Signature made Wed 07 Feb 2024 01:20:48 PM MST
gpg:                using RSA key 612F0EAD9401622379DF4402F28C3C8DA33C03BE
gpg: Good signature from "Santiago Gimeno (sgimeno) <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 612F 0EAD 9401 6223 79DF  4402 F28C 3C8D A33C 03BE

This is the same key fingerprint listed for @santigimeno at https://github.com/libuv/libuv/blob/v1.x/MAINTAINERS.md, and stored in the repo via the pubkey-santigimeno tag.

However, it has expired:

$ gpg --list-keys F28C3C8DA33C03BE
pub   rsa4096 2016-08-26 [SC] [expired: 2023-06-29]
      612F0EAD9401622379DF4402F28C3C8DA33C03BE
uid           [ expired] Santiago Gimeno (sgimeno) <[email protected]>

Both the copy in the git repo, and the one at https://github.com/santigimeno.gpg agree on this expiration.

Presumably the key has been edited and its expiration extended, or new signatures couldn't have been created. But I think the updated public key has never been propagated?

[santigimeno]

It's strange, on July 2023 I was contacted by a package maintainer about exactly this issue and I published the updated key and was told everything was fine by then.
Also, I can see it correctly in https://keyserver.ubuntu.com/pks/lookup?search=612F0EAD9401622379DF4402F28C3C8DA33C03BE&fingerprint=on&op=index. Am I missing something?
Anyway, I have republished it in various key servers. Let me know if it works for you.

[hlein]

Aha, yes! Thank you, I can see the updated key on the Ubuntu keyservers. That's not one of the places I tried looking last night. Note that the copy of your key registered with GitHub and the one included in the libuv repo are both still the expired version. See also #4306 which is more of a project-wide issue/question.