这是我第一次尝试正确检查用于构建交叉编译器工具链的源的 GPG 签名。通过
glibchttps://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.xz
https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.xz.sig
我的问题:
sig 文件使用以下密钥:
pub rsa4096/16792B4EA25340F8
created: 2016-08-02 expired: 2022-07-23 usage: SC
trust: unknown validity: expired
sub rsa4096/4B54EAAC6E498A05
created: 2016-08-02 expired: 2022-07-23 usage: E
[ expired] (1). Carlos O'Donell <[email protected]>
[ expired] (2) Carlos O'Donell (Work) <[email protected]>
[ expired] (3) Carlos O'Donell (Work) <[email protected]>
而且我找不到没有过期的。然而,指纹如何有效, 因此 glibc 是用已经过期的密钥签名的?
src gpg --verify glibc-2.39.tar.xz.sig
gpg: assuming signed data in 'glibc-2.39.tar.xz'
gpg: Signature made Wed 31 Jan 2024 11:05:38 PM CET
gpg: using RSA key 7273542B39962DF7B299931416792B4EA25340F8
gpg: Good signature from "Carlos O'Donell <[email protected]>" [expired]
gpg: aka "Carlos O'Donell (Work) <[email protected]>" [expired]
gpg: aka "Carlos O'Donell (Work) <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 7273 542B 3996 2DF7 B299 9314 1679 2B4E A253 40F8
一定是我漏掉了什么!
我的所有密钥每年都会过期,并且我每年都会更新它们。
有关更多详细信息,请参阅 https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security。
由于我是 glibc 安全团队的成员,您可以从 https://sourceware.org/glibc/security.html
获取我更新的密钥