search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.37k stars 2.72k forks source link

Resign `Release.gpg` to produce a valid signature #8983

Open Cornelicorn opened 9 months ago

Cornelicorn commented 9 months ago

I was trying to mirror the yarn debian repo with a tool called pom. This fails due to invalidity of the signatures of the debian yarn repo (See the bug report in pom, https://bugzilla.proxmox.com/show_bug.cgi?id=4919#c1).

The subkey used for signing Release.gpg only has a valid signature from 2023-01-24 onwards while the signature Release.gpg was performed on 2022-05-15.

gpg ignores this error and shows a valid signature and thus apt doesn't have a problem with it, but the signature is not valid since the key was not valid at signature time, the expired signature at that time is missing from the current keyring.

Can you please update the repo metadata, i.e. resign Release.gpg?

Daniel15 commented 1 month ago

The subkey used for signing Release.gpg only has a valid signature from 2023-01-24 onwards

That doesn't look like the case to me - all the active signing subkeys show a creation date in 2019 for me:

pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub   rsa4096 2019-01-11 [S] [expires: 2026-01-23]

In any case, this should be resolved now. Do you still see the issue?