Hi,

According to output pasted below it seems that the GPG key used to sign installation media has expired 2021-04-03. Why is new installation ISO signed 7 days ago with a key that has been expired for almost 6 months? Is this correct?

My main question though is if this iso is authentic?

$ ll -h ovirt-node-ng-installer-4.4.8-2021090310.el8.iso*
-rw-r--r--. 1 fredde fredde 1.9G Oct  1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso
-rw-r--r--. 1 fredde fredde   32 Oct  1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum
-rw-r--r--. 1 fredde fredde  490 Oct  1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum.sig

$ gpg --list-keys oVirt
pub   rsa2048 2014-03-30 [SC] [expired: 2021-04-03]
      31A5D7837FAD7CB286CD3469AB8C4F9DFE590CB7
uid           [ expired] oVirt <infra@ovirt.org>


$ gpg --verify-files *.sig
gpg: assuming signed data in 'ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum'
gpg: Signature made Thu 23 Sep 2021 02:41:24 PM CEST
gpg:                using RSA key AB8C4F9DFE590CB7
gpg: Good signature from "oVirt <infra@ovirt.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD  3469 AB8C 4F9D FE59 0CB7

$ cat *.md5sum
e75ac6f671c666140a205e6eab3d0c4a

$ md5sum ovirt-node-ng-installer-4.4.8-2021090310.el8.iso
e75ac6f671c666140a205e6eab3d0c4a  ovirt-node-ng-installer-4.4.8-2021090310.el8.iso

BR
/F
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CEIRQ7SJPXEZIY5IX475DKKITXF3QTKM/