Open tschmidtb51 opened 1 year ago
What is the use case for a more detailed output here? Should the validity be checked automatically?
Many admins would download the key from the URL and do more in depth checks on that downloaded pubkey.
I would like to make my work easier when I review new CSAF sources.
Checking the validity automatically would be a nice option (like still valid for x days).
Many admins would download the key from the URL and do more in depth checks on that downloaded pubkey.
True. But it is a manual effort if I have to do that for each new source. The report makes it easier and can also be used by "non-technical" people.
Also: According to the FAQ a signature must still be valid for 30 days (should 90 days). If we come below those values, the checker should add an error /warning.
Some checks are easier than others. The time period where a pubkey is "valid" can be checked easily.
What is hard to check is how much to you believe that the pubkey belongs to the owner (some other form of "validity"). This is the most important property of a pubkey. To phrase the consequence the other way round: if there is no indication that a pubkey belongs to the assumed owner, the signature has not value (and must be ignored). Right now out code lacks many methods of checking information about this "believe", e.g. like trying the corresponding web key directory or looking for 3rd party signature of other pubkeys we partly trust.
We could add to the more verbose report additional details about the OpenPGP key: e.g.