Vdsm source packages signed with an expired key?
Milan Zamazal
mzamazal at redhat.com
Tue Sep 20 06:52:55 UTC 2016
Sandro Bonazzola <sbonazzo at redhat.com> writes:
> On Mon, Sep 19, 2016 at 10:01 AM, Milan Zamazal <mzamazal at redhat.com> wrote:
>
>> Hi, on Vdsm packages downloaded from
>> http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ :
>>
>> % gpg --verify vdsm-4.18.13.tar.gz.sig
>> gpg: assuming signed data in 'vdsm-4.18.13.tar.gz'
>> gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID
>> FE590CB7
>> gpg: Good signature from "oVirt <infra at ovirt.org>" [expired]
>> gpg: Note: This key has expired!
>> Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7
>>
>> % gpg --list-keys infra at ovirt.org
>> pub 2048R/FE590CB7 2014-03-30 [expired: 2016-04-02]
>> uid [ expired] oVirt <infra at ovirt.org>
>>
>> Either I download fake packages signed with a cracked expired key, or
>> you sign the packages with an expired key. Not good in any case.
>>
>
>
> Please run gpg --refresh-keys
I see, it's OK now, thanks!
More information about the Infra
mailing list