You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/08/18 15:29:47 UTC

DO NOT REPLY [Bug 51679] New: Code signature key expired

https://issues.apache.org/bugzilla/show_bug.cgi?id=51679

             Bug #: 51679
           Summary: Code signature key expired
           Product: Apache httpd-2
           Version: 2.2.19
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: All
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: brunzema@dimdi.de
    Classification: Unclassified


The signing key for httpd-2.2.19.tar.gz.asc seems to have expired:

gpg -v --verify httpd-2.2.19.tar.gz.asc
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: assuming signed data in `httpd-2.2.19.tar.gz'
gpg: Signature made Fri 20 May 2011 07:02:24 PM CEST using RSA key ID 7F7214A7
                                                                      ^^^^^^^^
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gpg: using subkey 7F7214A7 instead of primary key B55D9977
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: using PGP trust model
gpg: Good signature from "William A. Rowe, Jr. <wr...@rowe-clan.net>"
gpg:                 aka "William A. Rowe, Jr. <wr...@apache.org>"
gpg:                 aka "William A. Rowe, Jr. <wr...@vmware.com>"
gpg:                 aka "William A. Rowe, Jr. <wi...@springsource.com>"
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: Note: This key has expired!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401  9235 193F 180A B55D 9977
     Subkey fingerprint: 4962 0827 E32B C882 DC6B  EF54 A348 B984 7F72 14A7
gpg: binary signature, digest algorithm SHA1

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

RE: DO NOT REPLY [Bug 51679] New: Code signature key expired

Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
IMHO it can be resigned in place since we do not touch the release artifacts itself.
But as Bill did the release IMHO he should resign the release to be consistent with the
other metadata of this release (e.g. the creator of the 2.2.19) tag.

Regards

Rüdiger 

> -----Original Message-----
> From: Eric Covener 
> Sent: Donnerstag, 18. August 2011 17:29
> To: dev@httpd.apache.org
> Subject: Fwd: DO NOT REPLY [Bug 51679] New: Code signature key expired
> 
> CHANGES says that currently nothing is backported to 2.2.x since
> 2.2.19 -- should we burn a release # to replace?  Can the existing
> release be re-signed in-place?
> 
> 
> ---------- Forwarded message ----------
> From:  <bu...@apache.org>
> Date: Thu, Aug 18, 2011 at 9:29 AM
> Subject: DO NOT REPLY [Bug 51679] New: Code signature key expired
> To: bugs@httpd.apache.org
> 
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=51679
> 
>             Bug #: 51679
>           Summary: Code signature key expired
>           Product: Apache httpd-2
>           Version: 2.2.19
>          Platform: All
>        OS/Version: All
>            Status: NEW
>          Severity: minor
>          Priority: P2
>         Component: All
>        AssignedTo: bugs@httpd.apache.org
>        ReportedBy: brunzema@dimdi.de
>    Classification: Unclassified
> 
> 
> The signing key for httpd-2.2.19.tar.gz.asc seems to have expired:
> 
> gpg -v --verify httpd-2.2.19.tar.gz.asc
> gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
> gpg: assuming signed data in `httpd-2.2.19.tar.gz'
> gpg: Signature made Fri 20 May 2011 07:02:24 PM CEST using 
> RSA key ID 7F7214A7
>                                                               
>        ^^^^^^^^
> gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 
> 05:21:46 PM CEST
> gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 
> 02:54:10 AM CEST
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^^^^^^^^
> gpg: using subkey 7F7214A7 instead of primary key B55D9977
> gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 
> 02:54:10 AM CEST
> gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 
> 05:21:46 PM CEST
> gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 
> 02:54:10 AM CEST
> gpg: using PGP trust model
> gpg: Good signature from "William A. Rowe, Jr. <wr...@rowe-clan.net>"
> gpg:                 aka "William A. Rowe, Jr. <wr...@apache.org>"
> gpg:                 aka "William A. Rowe, Jr. <wr...@vmware.com>"
> gpg:                 aka "William A. Rowe, Jr. 
> <wi...@springsource.com>"
> gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 
> 05:21:46 PM CEST
> gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 
> 02:54:10 AM CEST
> gpg: Note: This key has expired!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401  9235 193F 
> 180A B55D 9977
>     Subkey fingerprint: 4962 0827 E32B C882 DC6B  EF54 A348 
> B984 7F72 14A7
> gpg: binary signature, digest algorithm SHA1
> 
> --
> Configure bugmail: 
> https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the assignee for the bug.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: bugs-help@httpd.apache.org
> 
> 
> 
> 
> -- 
> Eric Covener
> covener@gmail.com
>

Re: Fwd: DO NOT REPLY [Bug 51679] New: Code signature key expired

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 8/18/2011 10:29 AM, Eric Covener wrote:
> CHANGES says that currently nothing is backported to 2.2.x since
> 2.2.19 -- should we burn a release # to replace?  Can the existing
> release be re-signed in-place?

Hmmm... although I'm happy to re-sign, this is a flaw in gpg; the sig
was valid at the time the artifact was signed.  The same is true for
a vast number of artifacts at archive.apache.org/dist/

If we are treating this flaw in gpg as valid, we should probably set
up a policy of using keys that won't expire for 'X' period of time
following the release.

But IMHO, the underlying complaint is not legitimate.

Fwd: DO NOT REPLY [Bug 51679] New: Code signature key expired

Posted by Eric Covener <co...@gmail.com>.
CHANGES says that currently nothing is backported to 2.2.x since
2.2.19 -- should we burn a release # to replace?  Can the existing
release be re-signed in-place?


---------- Forwarded message ----------
From:  <bu...@apache.org>
Date: Thu, Aug 18, 2011 at 9:29 AM
Subject: DO NOT REPLY [Bug 51679] New: Code signature key expired
To: bugs@httpd.apache.org


https://issues.apache.org/bugzilla/show_bug.cgi?id=51679

            Bug #: 51679
          Summary: Code signature key expired
          Product: Apache httpd-2
          Version: 2.2.19
         Platform: All
       OS/Version: All
           Status: NEW
         Severity: minor
         Priority: P2
        Component: All
       AssignedTo: bugs@httpd.apache.org
       ReportedBy: brunzema@dimdi.de
   Classification: Unclassified


The signing key for httpd-2.2.19.tar.gz.asc seems to have expired:

gpg -v --verify httpd-2.2.19.tar.gz.asc
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: assuming signed data in `httpd-2.2.19.tar.gz'
gpg: Signature made Fri 20 May 2011 07:02:24 PM CEST using RSA key ID 7F7214A7
                                                                     ^^^^^^^^
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gpg: using subkey 7F7214A7 instead of primary key B55D9977
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: using PGP trust model
gpg: Good signature from "William A. Rowe, Jr. <wr...@rowe-clan.net>"
gpg:                 aka "William A. Rowe, Jr. <wr...@apache.org>"
gpg:                 aka "William A. Rowe, Jr. <wr...@vmware.com>"
gpg:                 aka "William A. Rowe, Jr. <wi...@springsource.com>"
gpg: NOTE: signature key CB9B9EC5 expired Fri 03 Jul 2009 05:21:46 PM CEST
gpg: NOTE: signature key 7F7214A7 expired Sat 09 Jul 2011 02:54:10 AM CEST
gpg: Note: This key has expired!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401  9235 193F 180A B55D 9977
    Subkey fingerprint: 4962 0827 E32B C882 DC6B  EF54 A348 B984 7F72 14A7
gpg: binary signature, digest algorithm SHA1

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org




-- 
Eric Covener
covener@gmail.com