If a CSAF document is signed on Pi day (the 14th of march 2023) and the key expires and of that march,
is the signature valid and okay for the CSAF standard?
If yes, the behaviour of the tools would have to be adjusted accordingly.
Currently a public OpenPGP key must be fully valid at time of downloading.
This would lead to a resigning for very old advisories.
The standard just has
The OpenPGP key SHOULD have a strength that is considered secure.
Being valid is part of being considered "secure", and old keys may not be secure enough anymore.
But as this is a "SHOULD", it could be come a warning, if our tools would be able to check to check validity
of the key at time of signing.
Behaviour of v3.0.0:
Checker and downloader stop if a CSAF document is downloaded and the OpenPGP signature was done with a key that is expired, even if it was valid at the time of signing.
Example message:
Signature of https://www.example.com/.well-known/csaf/white/2022/example-2022-0003.json could not be verified: Signature Verification Error: Invalid signature caused by openpgp: key expired.
If a CSAF document is signed on Pi day (the 14th of march 2023) and the key expires and of that march, is the signature valid and okay for the CSAF standard?
If yes, the behaviour of the tools would have to be adjusted accordingly.
Currently a public OpenPGP key must be fully valid at time of downloading. This would lead to a resigning for very old advisories.
The standard just has
Being valid is part of being considered "secure", and old keys may not be secure enough anymore. But as this is a "SHOULD", it could be come a warning, if our tools would be able to check to check validity of the key at time of signing.
Behaviour of v3.0.0:
Checker and downloader stop if a CSAF document is downloaded and the OpenPGP signature was done with a key that is expired, even if it was valid at the time of signing.
Example message: