Current 3mdeb-secpack master signed with expired key

[marmarek]

$ git show --show-signature -s  origin/master
commit a8dd882d0e361040b9f1e1a6c3ef6da935fac722 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Thu Sep 18 19:06:09 2025 CEST
gpg:                using RSA key A712814EC730D0D554F3F7A44084CE16676BD816
gpg: Good signature from "Daniil Klimuk <daniil.klimuk@3mdeb.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: A712 814E C730 D0D5 54F3  F7A4 4084 CE16 676B D816
Author: Daniil Klimuk <daniil.klimuk@3mdeb.com>
Date:   Thu Sep 18 19:05:55 2025 +0200

    dasharo: dasharo-tools-suite-open-source-software-release-2.7.x: add key
    
    Signed-off-by: Daniil Klimuk <daniil.klimuk@3mdeb.com>

and

$ gpg keys/employees-keys/daniil-klimuk-signed.asc 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2023-06-12 [SC] [expires: 2026-06-11]
      A712814EC730D0D554F3F7A44084CE16676BD816
uid           Daniil Klimuk <daniil.klimuk@3mdeb.com>
sub   rsa4096 2023-06-12 [E] [expired: 2025-06-11]

Since the signature was made yesterday, I guess extended key does exist somewhere, it just isn't updated in the repo (and/or on keyservers).

Kinda related to #130

[pietrushnic]

@marmarek this is definitely an issue, which @DaniilKl has to fix, but the root of trust for this key is different, namely, it is 3mdeb Master Key, so this issue should not prevent use of the key, or am I missing something?

[marmarek]

The issue is just as shown above - gpg shows the good (git) signature is made with expired key. So, technically, you don't know if this key wasn't for example replaced with a newer one, or maybe lost. If a signature would be verified with a script, it would be refused.

[pietrushnic]

The issue is just as shown above - gpg shows the good (git) signature is made with expired key.

I get it. Just making sure the issue is only with @DaniilKl's stuff and we don't have side-effect impact in mind that I miss/do not consider regarding DTS key itself.

So, technically, you don't know if this key wasn't for example replaced with a newer one, or maybe lost. If a signature would be verified with a script, it would be refused.

Understood.

[marmarek]

DTS key itself is fine. For other DTS issues I'm opening another issue :P

[DaniilKl]

@marmarek, the signing key is up to date, but the encryption sub key is expired. The singing key validity was extended according to the 3mdeb process. I am not sure why your GPG shows gpg: Note: This key has expired!, as my does not show that (version difference probably).

[marmarek]

Hm, I'm not sure either... maybe it considered subkey when listing the key? Weird. Could be also gpg bug, when I check the signature with sequoia (via cameleon, git -c gpg.program=gpg-sq ...) it doesn't show expired anymore. And that way the key is also listed as valid:

$ gpg-sq  -k A712814EC730D0D554F3F7A44084CE16676BD816
pub   rsa4096 2023-06-12 [SC] [expires: 2026-06-11]
      A712814EC730D0D554F3F7A44084CE16676BD816
uid           [ unknown] Daniil Klimuk <daniil.klimuk@3mdeb.com>

[DaniilKl]

Interesting. I will extend the sub key later and we can check, whether your gpg means that it is the sub-key that is expired.