309919 - Installer signed with expired PGP (GPG) key (Chase Phillips 6D1ECD07)

Status: RESOLVED FIXED

(Firefox :: Installer, defect)

Description

[Ken Takusagawa]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

The installer files for 1.0.7 at the URL above are signed with a GPG key that
expired yesterday, 9/23/2005.  When a user attempts to verify the integrity of
the installer, he will receive a warning that the key is expired.

The key was not expired at the time the file was signed (9/20), assuming one
trusts the date encoded in the signature.

Reproducible: Always

Steps to Reproduce:
$ gpg --verify firefox-1.0.7.tar.gz.asc
gpg: Signature made Tue 20 Sep 2005 09:29:29 PM EDT using DSA key ID 6D1ECD07
gpg: Good signature from "Chase Phillips <cphillip@gmail.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 2B75 7988 9C86 B6FA 4F31  18CD 24C4 8F80 6D1E CD07

Comment 1

[Chase Phillips]

I have since created a new PGP key for 'releases@mozilla.org' and I am signing
releases with that new key.  What exactly about this is a bug?

Comment 2

[Ken Takusagawa]

I think this trivial bug can be closed now.

As for why it was a bug in the first place, one can make up some highly 
unrealistic scenario that the expiration date on the old key actually had some 
meaning, after which point evildoers have gained access to the private key and 
can release a signed Evil Firefox out to the world.

Comment 3

[Chase Phillips]

Mass reassign of open bugs for chase@mozilla.org to build@mozilla-org.bugs.