[Gpg4win-users-de] Expired signer's key of the latest distribution of gpg4win

Bernhard Reiter bernhard at intevation.de
Fr Feb 12 12:52:29 CET 2010

[I am answering this on users-_en_ where I believe it should go.]

Am Donnerstag, 4. Februar 2010 06:57:23 schrieb Mårdklo:
> This happened in Monday 100201:
> Normally using Linux (Ubuntu) I also work with a Windows XP machine
> (sp3), where I want to install gpg4win (latest working version).   I
> found this gpg4win-2.0.1.exe at http://gpg4win.org/.  However the
> corresponding sig-file seems to be out of date and I don't want to
> install this kind of software without beeing quite sure of validity and
> trust.
> When I try to verify the distribution (from linux where I do have gpgv
> installed, and some of the signer's unexpired keys) I got this:
> lars at myubuntuno1:~$ gpg --verify /home/lars/Desktop/gpg4win-2.0.1.exe.sig
> gpg: Signature made Mon 28 Sep 2009 06:47:45 PM CEST using RSA key ID
> 1CE0C630
> gpg: Good signature from "Werner Koch (dist sig) <dd9jn at gnu.org>"

This means the signature is good.

> gpg: Note: This key has expired!
> Primary key fingerprint: 7B96 D396 E647 1601 754B  E4DB 53B6 20D0 1CE0 C630
> lars at myubuntuno1:~$
> When I checked the actual key of the signer, I found that it had expired
> the day before, 2010-01-31 (!).
> May be something had to be corrected?
> Can you give me some advices?

I think the situation comes from the fact that it is not clear enough what an 
expired key means. This expiration usually means that people should not use 
the key for new crypto operations. I can be safe to check old signatures with 
it. In this case you are fine unless the key is revoked or cryptographically 
irrelevant. (Both does not seem to be the case today.)

Also I believe that the key usage time was extended, so you can just get
reload the key. E.g. gpg2 --recv-key 1CE0C630 (on a modern GNU system).


Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 198 bytes
Beschreibung: This is a digitally signed message part.
URL         : <http://lists.wald.intevation.org/pipermail/gpg4win-users-de/attachments/20100212/10f62aaa/attachment.sig>

Mehr Informationen über die Mailingliste Gpg4win-users-de