
Hi, According to output pasted below it seems that the GPG key used to sign installation media has expired 2021-04-03. Why is new installation ISO signed 7 days ago with a key that has been expired for almost 6 months? Is this correct? My main question though is if this iso is authentic? $ ll -h ovirt-node-ng-installer-4.4.8-2021090310.el8.iso* -rw-r--r--. 1 fredde fredde 1.9G Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso -rw-r--r--. 1 fredde fredde 32 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum -rw-r--r--. 1 fredde fredde 490 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum.sig $ gpg --list-keys oVirt pub rsa2048 2014-03-30 [SC] [expired: 2021-04-03] 31A5D7837FAD7CB286CD3469AB8C4F9DFE590CB7 uid [ expired] oVirt <infra@ovirt.org> $ gpg --verify-files *.sig gpg: assuming signed data in 'ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum' gpg: Signature made Thu 23 Sep 2021 02:41:24 PM CEST gpg: using RSA key AB8C4F9DFE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7 $ cat *.md5sum e75ac6f671c666140a205e6eab3d0c4a $ md5sum ovirt-node-ng-installer-4.4.8-2021090310.el8.iso e75ac6f671c666140a205e6eab3d0c4a ovirt-node-ng-installer-4.4.8-2021090310.el8.iso BR /F