Open Cornelicorn opened 9 months ago
The subkey used for signing Release.gpg only has a valid signature from 2023-01-24 onwards
That doesn't look like the case to me - all the active signing subkeys show a creation date in 2019 for me:
pub rsa4096 2016-10-05 [SC]
72ECF46A56B4AD39C907BBB71646B01B86E50310
uid [ unknown] Yarn Packaging <yarn@dan.cx>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
In any case, this should be resolved now. Do you still see the issue?
I was trying to mirror the yarn debian repo with a tool called pom. This fails due to invalidity of the signatures of the debian yarn repo (See the bug report in pom, https://bugzilla.proxmox.com/show_bug.cgi?id=4919#c1).
The subkey used for signing
Release.gpg
only has a valid signature from2023-01-24
onwards while the signatureRelease.gpg
was performed on2022-05-15
.gpg
ignores this error and shows a valid signature and thusapt
doesn't have a problem with it, but the signature is not valid since the key was not valid at signature time, the expired signature at that time is missing from the current keyring.Can you please update the repo metadata, i.e. resign
Release.gpg
?