openssh bugs - Nov 2024 - [Bug 3749] New: RELEASE_KEY.asc at https://www.openssh.com/portable.html is expired

https://bugzilla.mindrot.org/show_bug.cgi?id=3749

            Bug ID: 3749
           Summary: RELEASE_KEY.asc at
                    https://www.openssh.com/portable.html is expired
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: craig at unreasonablefarm.org

I imported the key mentioned:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

And it seems it is rather expired.

I was trying to confirm the signature of downloaded source code.
> The release files are signed with the PGP public key contained in the file
RELEASE_KEY.asc on the ftp site.
After importing the release key above I get

pub   1024D/86FF9C48 2001-02-26 [revoked: 2013-12-10]
uid                  Damien Miller (Personal Key) <djm at mindrot.org>

pub   1024D/11B5748F 1999-05-23 [revoked: 2001-02-26]
uid                  Damien Miller <dmiller at vitnet.com.sg>
uid                  Damien Miller <dmiller at ilogic.com.au>
uid                  Damien Miller <djm at mindrot.org>

pub   1024D/691EF8DA 2001-02-26
uid                  Damien Miller (Personal Key) <djm at mindrot.org>
sub   1024g/AC69ED0C 2001-02-26

pub   3200R/6D920D30 2013-12-10 [expired: 2021-01-01]
uid                  Damien Miller <djm at mindrot.org>

pub   4096R/736060BA 2021-01-01
uid                  Damien Miller <djm at mindrot.org>
sub   4096R/74B39C46 2021-01-01

Just wondering if I am doing it wrong? Maybe the webpage is
out-of-date?

FWIW I am working on an out-dated system, centos-6:

# gpg --version
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3749

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The final key in the chain is not expired:
> pub   4096R/736060BA 2021-01-01
> uid                  Damien Miller <djm at mindrot.org>
> sub   4096R/74B39C46 2021-01-01
Previous, expired/revoked, keys remain in the chain because they are
used to sign their replacements to provide continuity of trust.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3749

--- Comment #2 from craig at unreasonablefarm.org ---
Yeah, of course. Sorry I didn't see that.

I looked at the key because when I tried to confirm the signature on
the download it didn't work. I'll give it another try and report back.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.