Ubuntu
apt package

  1. Bug #356012
  2. Comment #2

Comment 2 for bug 356012

Revision history for this message
Michael Vogt (mvo) wrote : Re: [SECURITY] APT does not properly handle expired or revoked key signatures

So it seems like the check for VALIDSIG is incorrect (also the doc/DETAILS says:
   VALIDSIG <fingerprint in hex> <sig_creation_date> <sig-timestamp>
                <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
                <hash-algo> <sig-class> <primary-key-fpr>

        The signature with the keyid is good. This is the same as
        GOODSIG but has the fingerprint as the argument.
)

The doc for GOOGSIG says:
   GOODSIG <long keyid> <username>
        The signature with the keyid is good. For each signature only
        one of the three codes GOODSIG, BADSIG or ERRSIG will be
        emitted and they may be used as a marker for a new signature.