From: jak@debian.org   
      
   Control: reassign -1 rust-sequoia-sqv   
   Control: tag -1 security   
      
   On Tue, Feb 10, 2026 at 09:02:47AM +0100, Johannes Kress wrote:   
   > Package: apt   
   > Version: 3.0.3   
   >   
   > When a key for an apt repo expires the key will be still accepted by apt   
   > I tested it by setting up an apt repo and created an expired key   
   > Then i run apt update with the debugging option for sqv on apt 3.0.3:   
   >   
   > $ apt -oDebug::Acquire::sqv=true update   
   > Hit:1https://repos.example.com/deb stable InRelease   
   > 0% [Working]Setting SEQUOIA_CRYPTO_POLICY=/usr/share/apt/defau   
   t-sequoia.config   
   > Executing /usr/bin/sqv --keyring /etc/apt/keyrings/expired.gpg   
   /tmp/apt.sig.rBMAZ6 /tmp/apt.data.d4Yp1h --policy-as-of 2027-2-10   
   > sqv exited with status 0   
   > Got GOODSIG 5D276A38B044FF63B56B08669B60EA63B19DD085   
   > sqv succeeded   
   > All packages are up to date.   
   >   
   > When using the same repo with apt 2.6.1 you got the following error:   
   >   
   > $ apt -oDebug::Acquire::gpgv=true update   
   > Get:1https://repos.example.com/deb stable InRelease [1204 B]   
   > 0% [Working]inside VerifyGetSigners   
   > Preparing to exec:  /usr/bin/apt-key --quiet --readonly --keyring   
   /etc/apt/keyrings/expired.gpg verify --status-fd 3 /tmp/apt.sig.VDLBNK   
   /tmp/apt.data.hS31kv   
   > Read: [GNUPG:] NEWSIG   
   > Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   > Read: [GNUPG:] KEYEXPIRED 1770546861   
   > Read: [GNUPG:] SIG_ID MCZNnca4nxaNt/A1F1XT6RADCbo 2026-02-03 1770114959   
   > Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   > Read: [GNUPG:] EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key   
   > Got EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key !   
   > Read: [GNUPG:] VALIDSIG 5D276A38B044FF63B56B08669B60EA63B19DD085 2026-02-03   
   1770114959 0 4 0 22 8 01 5D276A38B044FF63B56B08669B60EA63B19DD085   
   > Got trusted VALIDSIG, key ID: 5D276A38B044FF63B56B08669B60EA63B19DD085   
   > gpgv exited with status 0   
   > Summary:   
   >   Good:   
   >   Valid: 5D276A38B044FF63B56B08669B60EA63B19DD085   
   >   Bad:   
   >   Worthless: EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key   
   >   SoonWorthless:   
   >   NoPubKey:   
   >   Signed-By:   
   >   NODATA: no   
   > Err:1https://repos.example.com/deb stable InRelease   
   >   The following signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo   
   Signing Key   
   > Reading package lists... Done   
   > W: GPG error:https://repos.example.com/deb stable InRelease: The following   
   signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo Signing   
   Key   
   > E: The repository 'https://repos.example.com/deb stable InRelease' is not   
   signed.   
   > N: Updating from such a repository can't be done securely, and is therefore   
   disabled by default.   
   > N: See apt-secure(8) manpage for repository creation and user configuration   
   details.   
   >   
   > I tested this on Debian 13 and debian 12 with the latest updates installed.   
      
   This is Sequoia's expected behavior provided the signature was created before   
   the key expiration. I don't think it's the most sensible notion but it's   
   outside of our control, as long as we don't want to patch that in Debian   
   to behave differently.   
      
   --   
   debian developer - deb.li/jak | jak-linux.org - free software dev   
   ubuntu core developer                              i speak de, en   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)