Sequoia PGP : What are the options for expired third party GPG signing keys?

Following Fedora’s migration to Sequoia PGP, it seems that it isn’t possible to import an expired signing key anymore.

rpm --import https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public

error: Certificate <CERT_ID>:

 The certificate is expired: The primary key is not live

error: https://some.domain/public-keys/SOME_EXPIRED_RPM_KEY.public: key 1 import failed.

I’d like to know what a third party can do to allow older versions of a package to be installed despite the expired GPG key. To be precise, the GPG key is expired but not revoked so it shouldn’t be an issue.
One option I’m aware of would be to resign older packages but it involves changing the checksum of the package, which is a bad practice we’d like to avoid. Any suggestions ? Or is it an issue to redirect to rpm-sequoia directly ?

If you get no reply here, try to send an email to devel - Fedora Mailing-Lists or contact rpm-sequoia upstream.

2 Likes