Open rayx opened 1 month ago
The keys come from the swift.org website (https://www.swift.org/keys/all-keys.asc). It might be better that the website stops serving expired keys. You could add an issue there.
There is nothing stopping swiftly installing swift 2/3/4. As long as the tar balls are available on swift.org it should work. I haven't tested swift 2 or 3 though.
Swift website has a page for active GPG keys (https://www.swift.org/keys/active/). I found it by google. Unfortunately that page isn't friendly to script and there seems to be no active-keys.asc
file. On the other hand, I suspect all-keys.asc
is for archive purpose so it probably should contain expired keys.
When I submitted the issue, I though gpg
might have an option to skip expired keys when importing them. I googled a bit today. There seems no out-of-box way to do it. Also, based on some discussions on the net, gpg
allows one to verify signature using expired keys.
So, while I think the current behavior is a little bit confusing to me, I don't have strong opinion about it. Feel free to close it if there isn't a simple way or it isn't worth the effort.
I think opening an issue on Swift.org website to provide a nice parseable way of getting the current keys is something we should be able to implement
We'll still need the 2.x,3.x,4.x release keys, otherwise we won't be able to verify installs of Swift earlier than 5.0
While I installed swiftly, I saw output like the following:
Most of the keys are expired:
I think expired keys are useless? Also, swiftly doesn't support downloading Swift 2/3/4 releases. And the Automatic Signing Keys 1/2/3 are apparently obsoleted by key 4. So I think swiftly should ignore those expired keys.