Relax the self-signature requirement.

[nwalfield]

• When we verify a data signature, we canonicalize the signer's certificate to look as it did at the time of the data signature.

• When exporting a certificate, GnuPG strips old self signatures.

• This means that when a certificate's expiration time is extended, say, we are no longer able to verify old data signatures, because the certificate is not considered to be valid as of the data signature's creation time!

• Relax this requirement. Also allow a certificate, if it can be canonicalized as of the current time.

• Fixes RPM distrusts signatures done by previous versions of prolonged keys #50.

[github-actions]

Triggered from #52 by @nwalfield.

Checking if we can fast forward main (9a5a387) to neal/issue-50 (a22932d).

Target branch (main):

commit 9a5a387979713c112ff7abb775ec88608647c24e (HEAD -> main, origin/main, origin/HEAD)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:26:10 2023 +0200

    Add the fast-forward action.
    
      - Add the `fast-forward` action to show if fast forwarding a pull
        request is possible, and to actually do a fast-forward merge when an
        authorized user adds a comment containing `/fast-forward` to the
        pull request.

Pull request (neal/issue-50):

commit a22932dba43b4524adbeb3576839f75cac4d894e (pull_request/neal/issue-50)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:31:24 2023 +0200

    Relax the self-signature requirement.
    
      - When we verify a data signature, we canonicalize the signer's
        certificate to look as it did at the time of the data signature.
    
      - When exporting a certificate, GnuPG strips old self signatures.
    
      - This means that when a certificate's expiration time is extended,
        say, we are no longer able to verify old data signatures, because
        the certificate is not considered to be valid as of the data
        signature's creation time!
    
      - Relax this requirement.  Also allow a certificate, if it can be
        canonicalized as of the current time.
    
      - Fixes #50.

It is possible to fast forward main (9a5a387) to neal/issue-50 (a22932d). If you have write access to the target repository, you can add a comment with /fast-forward to fast forward main to neal/issue-50.

[github-actions]

Triggered from #52 by @nwalfield.

Checking if we can fast forward main (9a5a387) to neal/issue-50 (ed4d12b).

Target branch (main):

commit 9a5a387979713c112ff7abb775ec88608647c24e (HEAD -> main, origin/main, origin/HEAD)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:26:10 2023 +0200

    Add the fast-forward action.
    
      - Add the `fast-forward` action to show if fast forwarding a pull
        request is possible, and to actually do a fast-forward merge when an
        authorized user adds a comment containing `/fast-forward` to the
        pull request.

Pull request (neal/issue-50):

commit ed4d12beaea8aa7331c232d3444e89a41f43662a (pull_request/neal/issue-50)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:31:24 2023 +0200

    Relax the self-signature requirement.
    
      - When we verify a data signature, we canonicalize the signer's
        certificate to look as it did at the time of the data signature.
    
      - When exporting a certificate, GnuPG strips old self signatures.
    
      - This means that when a certificate's expiration time is extended,
        say, we are no longer able to verify old data signatures, because
        the certificate is not considered to be valid as of the data
        signature's creation time!
    
      - Relax this requirement.  Also allow a certificate, if it can be
        canonicalized as of the current time.
    
      - Fixes #50.

It is possible to fast forward main (9a5a387) to neal/issue-50 (ed4d12b). If you have write access to the target repository, you can add a comment with /fast-forward to fast forward main to neal/issue-50.

[nwalfield]

/fast-forward

[github-actions]

Triggered from #52 (comment) by @nwalfield.

Trying to fast forward main (9a5a387) to neal/issue-50 (ed4d12b).

Target branch (main):

commit 9a5a387979713c112ff7abb775ec88608647c24e (HEAD -> main, origin/main, origin/HEAD)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:26:10 2023 +0200

    Add the fast-forward action.
    
      - Add the `fast-forward` action to show if fast forwarding a pull
        request is possible, and to actually do a fast-forward merge when an
        authorized user adds a comment containing `/fast-forward` to the
        pull request.

Pull request (neal/issue-50):

commit ed4d12beaea8aa7331c232d3444e89a41f43662a (pull_request/neal/issue-50)
Author: Neal H. Walfield <[email protected]>
Date:   Thu Aug 24 17:31:24 2023 +0200

    Relax the self-signature requirement.
    
      - When we verify a data signature, we canonicalize the signer's
        certificate to look as it did at the time of the data signature.
    
      - When exporting a certificate, GnuPG strips old self signatures.
    
      - This means that when a certificate's expiration time is extended,
        say, we are no longer able to verify old data signatures, because
        the certificate is not considered to be valid as of the data
        signature's creation time!
    
      - Relax this requirement.  Also allow a certificate, if it can be
        canonicalized as of the current time.
    
      - Fixes #50.

Fast forwarding main (9a5a387) to neal/issue-50 (ed4d12b).

$ git push origin ed4d12beaea8aa7331c232d3444e89a41f43662a:main
To https://github.com/rpm-software-management/rpm-sequoia.git
   9a5a387..ed4d12b  ed4d12beaea8aa7331c232d3444e89a41f43662a -> main