Skip to content

PGP key expiration #1016

@tianon

Description

@tianon

Looks like https://bugs.mysql.com/bug.php?id=85029 has resurged today with an expiration of the PGP key used for signing MySQL releases. 😅

It appears that RPM/DNF/YUM don't mind the key being expired, but APT sure does, and fails our (re)builds on 8.0 and 5.7 (Debian-based images).

@ltangvald do you think there's a chance of this key getting a renewed expiration date? If not, we'll probably consider applying something like https://github.com/debuerreotype/debuerreotype/blob/60b625d1ce31bd81525bb67fc3a33f9686bc3433/scripts/.gpgv-ignore-expiration.sh during our build instead (so we still get the cryptographic benefits of PGP but without honoring/failing on the expiration date).

For reference:

root@dddeed483b62:/# wget -qO- 'https://repo.mysql.com/RPM-GPG-KEY-mysql-2022' | gpg --import
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 467B942D3A79BD29: public key "MySQL Release Engineering <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@dddeed483b62:/# wget -qO- 'https://repo.mysql.com/RPM-GPG-KEY-mysql' | gpg --import
gpg: key 8C718D3B5072E1F5: public key "MySQL Release Engineering <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@dddeed483b62:/# gpg --fingerprint
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2021-12-14 [SC] [expired: 2023-12-14]
      859B E8D7 C586 F538 430B  19C2 467B 942D 3A79 BD29
uid           [ expired] MySQL Release Engineering <[email protected]>

pub   dsa1024 2003-02-03 [SCA] [expired: 2022-02-16]
      A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
uid           [ expired] MySQL Release Engineering <[email protected]>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions