dephpend
dephpend copied to clipboard
Expired certificate in verification signature
The signature on the latest release is signed using an expired certificate.
Verification
$ gpg2 --verify dephpend-0.8.0.phar.asc dephpend-0.8.0.phar
gpg: Signature made Sun May 2 14:09:30 2021 BST
gpg: using RSA key 44CC65DC01D2FC05AD6F3DBD76835C9464877BDD
gpg: issuer "[email protected]"
gpg: Can't check signature: No public key
Checking the cert provided on OpenPGP
$ curl -s "https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=44CC65DC01D2FC05AD6F3DBD76835C9464877BDD" | gpg2
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2019-07-14 [SC] [expired: 2020-07-13]
44CC65DC01D2FC05AD6F3DBD76835C9464877BDD
uid Michael Haeuslmann <[email protected]>
sub rsa4096 2019-07-14 [E] [expired: 2020-07-13]
Also shows as an issue installing with Phive
$ phive install dephpend
Phive 0.15.0 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/mihaeu/dephpend/releases
Downloading https://github.com/mihaeu/dephpend/releases/download/0.8.0/dephpend-0.8.0.phar
Downloading https://github.com/mihaeu/dephpend/releases/download/0.8.0/dephpend-0.8.0.phar.asc
[ERROR] Signature could not be verified
[ERROR] unknown error code
Checking the key pulled by phive
$ gpg2 --list-keys --no-default-keyring --keyring ${HOME}/.phive/gpg/pubring.kbx | grep "44CC65DC01D2FC05AD6F3DBD76835C9464877BDD" -C2
pub rsa4096 2019-07-14 [SC] [expired: 2020-07-13]
44CC65DC01D2FC05AD6F3DBD76835C9464877BDD
uid [ expired] Michael Haeuslmann <[email protected]>