This is the first time I try to correctly check the GPG signatures of the sources I use to build a cross compiler toolchain. With glibc, I found an interesting issue:
https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.xz
https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.xz.sig
Problem for me:
- Signature made 2024/01/31
- Key expired 2022/07/23
The sig file uses the following key:
pub rsa4096/16792B4EA25340F8
created: 2016-08-02 expired: 2022-07-23 usage: SC
trust: unknown validity: expired
sub rsa4096/4B54EAAC6E498A05
created: 2016-08-02 expired: 2022-07-23 usage: E
[ expired] (1). Carlos O'Donell <[email protected]>
[ expired] (2) Carlos O'Donell (Work) <[email protected]>
[ expired] (3) Carlos O'Donell (Work) <[email protected]>
and I cannot find one that is not expired. However, how can the fingerprint be valid, and hence glibc been signed with an already expired key?
src gpg --verify glibc-2.39.tar.xz.sig
gpg: assuming signed data in 'glibc-2.39.tar.xz'
gpg: Signature made Wed 31 Jan 2024 11:05:38 PM CET
gpg: using RSA key 7273542B39962DF7B299931416792B4EA25340F8
gpg: Good signature from "Carlos O'Donell <[email protected]>" [expired]
gpg: aka "Carlos O'Donell (Work) <[email protected]>" [expired]
gpg: aka "Carlos O'Donell (Work) <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 7273 542B 3996 2DF7 B299 9314 1679 2B4E A253 40F8
There must be something I am missing!