GPG key <infra@ovirt.org> expired since April ?

Hi, According to output pasted below it seems that the GPG key used to sign installation media has expired 2021-04-03. Why is new installation ISO signed 7 days ago with a key that has been expired for almost 6 months? Is this correct? My main question though is if this iso is authentic? $ ll -h ovirt-node-ng-installer-4.4.8-2021090310.el8.iso* -rw-r--r--. 1 fredde fredde 1.9G Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso -rw-r--r--. 1 fredde fredde 32 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum -rw-r--r--. 1 fredde fredde 490 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum.sig $ gpg --list-keys oVirt pub rsa2048 2014-03-30 [SC] [expired: 2021-04-03] 31A5D7837FAD7CB286CD3469AB8C4F9DFE590CB7 uid [ expired] oVirt <infra@ovirt.org> $ gpg --verify-files *.sig gpg: assuming signed data in 'ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum' gpg: Signature made Thu 23 Sep 2021 02:41:24 PM CEST gpg: using RSA key AB8C4F9DFE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7 $ cat *.md5sum e75ac6f671c666140a205e6eab3d0c4a $ md5sum ovirt-node-ng-installer-4.4.8-2021090310.el8.iso e75ac6f671c666140a205e6eab3d0c4a ovirt-node-ng-installer-4.4.8-2021090310.el8.iso BR /F

Il giorno ven 1 ott 2021 alle ore 16:44 Fredrik Arneving < fredrik.arneving@bahnhof.se> ha scritto:
Hi,
According to output pasted below it seems that the GPG key used to sign installation media has expired 2021-04-03. Why is new installation ISO signed 7 days ago with a key that has been expired for almost 6 months? Is this correct?
My main question though is if this iso is authentic?
$ ll -h ovirt-node-ng-installer-4.4.8-2021090310.el8.iso* -rw-r--r--. 1 fredde fredde 1.9G Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso -rw-r--r--. 1 fredde fredde 32 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum -rw-r--r--. 1 fredde fredde 490 Oct 1 14:48 ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum.sig
$ gpg --list-keys oVirt pub rsa2048 2014-03-30 [SC] [expired: 2021-04-03] 31A5D7837FAD7CB286CD3469AB8C4F9DFE590CB7 uid [ expired] oVirt <infra@ovirt.org>
$ gpg --verify-files *.sig gpg: assuming signed data in 'ovirt-node-ng-installer-4.4.8-2021090310.el8.iso.md5sum' gpg: Signature made Thu 23 Sep 2021 02:41:24 PM CEST gpg: using RSA key AB8C4F9DFE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7
Hi, I see: $ gpg --list-keys oVirt pub rsa2048 2014-03-30 [SC] [*expires: 2028-04-06*] 31A5D7837FAD7CB286CD3469AB8C4F9DFE590CB7 uid [ unknown] oVirt <infra@ovirt.org> sub rsa2048 2014-03-30 [E] [expires: 2028-04-06] Can you please run `$ gpg --refresh-keys` ? thanks
$ cat *.md5sum e75ac6f671c666140a205e6eab3d0c4a
$ md5sum ovirt-node-ng-installer-4.4.8-2021090310.el8.iso e75ac6f671c666140a205e6eab3d0c4a ovirt-node-ng-installer-4.4.8-2021090310.el8.iso
BR /F _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CEIRQ7SJPXEZIY...
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

Hi Sandro, I downloaded the key from a public gpg-server and first I didn't realize it was not the latest key. Once I installed the latest key everything worked as it should. Thanks for your answer and your efforts for the oVirt project. BR, /Fredrik
participants (2)
-
Fredrik Arneving
-
Sandro Bonazzola