deb.torproject.org archive signing key expired

Hello, while trying to update Tor on Debian Wheezy I noticed that the gpg key used to sign the apt archive is now expired.

pub 2048R/886DDD89 2009-09-04 [expires: 2014-09-03] Key fingerprint = A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89 uid deb.torproject.org archive signing key sub 2048R/219EC810 2009-09-04 [expires: 2014-08-29]

Thank you.

Trac:
Username: TorAmateurDev

added component::internal services/service - dist priority::medium reporter::TorAmateurDev resolution::fixed status::closed type::defect labels

Think this is the right component. Just got a report on the lists too...

https://lists.torproject.org/pipermail/tor-relays/2014-August/005205.html

Trac:
Component: - Select a component to Service - dist

You need to fetch the key again.

But that apparently isn't sufficient:

$ gpg --edit-key 886DDD89
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/886DDD89  created: 2009-09-04  expires: 2016-08-28  usage: SC
                     trust: unknown       validity: unknown
sub  2048R/219EC810  created: 2009-09-04  expired: 2014-08-29  usage: S
[ unknown] (1). deb.torproject.org archive signing key

It has a subkey still, and that subkey has expired.

Trac:
Cc: N/A to weasel

I have same problem :-( Subkey expired. It was fresh install.

pi@raspberry ~/debian-packages $ gpg -v --list-keys
gpg: using PGP trust model
/home/pi/.gnupg/pubring.gpg

----
gpg: NOTE: signature key 219EC810 expired Fri 29 Aug 2014 15:21:21 UTC
pub   2048R/886DDD89 2009-09-04 [expires: 2016-08-28]
uid                  deb.torproject.org archive signing key
sub   2048R/219EC810 2009-09-04 [expired: 2014-08-29]

Trac:
Username: lucykrings

weasel is now aware of the issue, and says he'll get to it Sundayish.

I suggest adding a nagios alert set for a couple of weeks before the next key expiration date. Nagios can be configured to run this service check once per day... and it could even be something super simple like this:

today_date=$(date +"%y%m%d")
warning_date=$(date -d 2015-08-31 +"%y%m%d")

if [ $today_date -ge $warning_date ];
then
 echo 'Warning: APT key exiperation will happen soon';
 exit -1 # or whatever nagios return code is appropriate
else
 echo 'OK'
 exit 0
fi

Replying to arma:

weasel is now aware of the issue, and says he'll get to it Sundayish.

Fingers crossed for Sundayish then :)

Trac:
Username: manvvip

Trac:
Cc: weasel to weasel, intrigeri

Expiration date updated.

If people want their copy of the key update via the deb.torproject.org-keyring package, they will have to apt-get update and upgrade before we either release the next set of debs or, if we don't do that any time soon, then no later than October 10th. (Right now the Release file is signed with the primary key. New releases will sign those files with the previously expired subkey.)

Of course users are always free to manually update their copy of the key from the keyserver network using

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Trac:
Status: new to closed
Resolution: N/A to fixed

closed

mentioned in issue tpo/tpa/team#40740 (closed)