Bitcoin signing key by @laanwj expired on 2019-02-14 #15592

issue Stadicus opened this issue on March 13, 2019
  1. Stadicus commented at 1:09 PM on March 13, 2019: none

    The Bitcoin Core signing key hosted on bitcoin.org and bitcoincore.org by @laanwj expired on 2019-02-14.

    What behavior did you expect? After downloading Bitcoin Core and the signing key, I import the key into GPG and verify the sha256 hash of the binary. I would expect a signing valid key

    What was the actual behavior (provide screenshots if the issue is GUI-related)? I get the error gpg: Note: This key has expired!

    How reliably can you reproduce the issue, what are the steps to do so? Very reliably, both from bitcoincore.org and bitcoin.org

    $ wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/bitcoin-0.17.1-arm-linux-gnueabihf.tar.gz
2019-03-13 13:03:33 (4.13 MB/s) - ‘bitcoin-0.17.1-arm-linux-gnueabihf.tar.gz’ saved [24317954/24317954]

$ wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/SHA256SUMS.asc
2019-03-13 13:03:45 (112 MB/s) - ‘SHA256SUMS.asc’ saved [1957/1957]

$ wget https://bitcoincore.org/keys/laanwj-releases.asc
2019-03-13 13:03:57 (50.0 MB/s) - ‘laanwj-releases.asc’ saved [17940/17940]

$ gpg --list-keys
/home/admin/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2009-09-04 [SC] [expires: 2022-08-05]
      A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
uid           [ unknown] deb.torproject.org archive signing key
sub   rsa2048 2009-09-04 [S] [expires: 2020-11-23]

$ gpg --import ./laanwj-releases.asc
gpg: key 90C8019E36C2E964: 25 signatures not checked due to missing keys
gpg: key 90C8019E36C2E964: public key "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

$ gpg --list-keys
/home/admin/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2009-09-04 [SC] [expires: 2022-08-05]
      A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
uid           [ unknown] deb.torproject.org archive signing key
sub   rsa2048 2009-09-04 [S] [expires: 2020-11-23]

pub   rsa4096 2015-06-24 [SC] [expired: 2019-02-14]
      01EA5486DE18A882D4C2684590C8019E36C2E964
uid           [ expired] Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>

$ gpg --verify SHA256SUMS.asc
gpg: Signature made Tue Dec 25 08:03:05 2018 UTC
gpg:                using RSA key 90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

    What type of machine are you observing the error on (OS/CPU and disk type)? Linux odroid 4.14.87-153 [#1](/bitcoin-bitcoin/1/) SMP PREEMPT Tue Dec 11 11:33:18 -02 2018 armv7l armv7l armv7l GNU/Linux

  2. fanquake commented at 1:11 PM on March 13, 2019: member

    Thanks, however this is a duplicate of #15417. Please try gpg --refresh-keys.

  3. MarcoFalke commented at 3:00 PM on March 13, 2019: member

    It'd probably make sense to replace the binary key with a fingerprint. If someone can't fetch the key with the fingerprint from a keyserver, they also couldn't --refresh-keys.

  4. Stadicus commented at 3:49 PM on March 13, 2019: none

    Thanks. I guess it's not possible to provide a non-expired key for the already signed binaries. Would probably be helpful to have a current key that does not rely on refreshing on key servers for the next releases, if possible?

  5. Stadicus closed this on Mar 13, 2019
  6. MarcoFalke commented at 4:52 PM on March 13, 2019: member

    @Stadicus The key can be refreshed by bumping the expiry data, and that is the intended workflow.

    The rationale is that in case your subkey is compromised, it will expire on its own.

  7. laanwj commented at 6:01 PM on March 13, 2019: member

    I really don't get what you're asking, as far as I know I'm using GPG as intended. Setting expiry dates is an intentional procedure for any kind of key and I did bump the date (and push the updated key to keyservers) before the expiration date.

  8. laanwj commented at 6:18 PM on March 13, 2019: member

    The Bitcoin Core signing key hosted on bitcoin.org and bitcoincore.org by @laanwj expired on 2019-02-14

    Ohh I think I get it now, there's a key hosted on those sites, and you want those updated? FWIW this is the wrong place,

    Submitted PRs.

  9. laanwj referenced this in commit e26f500bba on Mar 13, 2019
  10. Stadicus commented at 6:50 PM on March 13, 2019: none

    Thanks a lot, and sorry for this less than optimally submitted issue.

  11. laanwj referenced this in commit 4df10302b9 on Mar 18, 2019
  12. DrahtBot locked this on Dec 16, 2021
Contributors
StadicusfanquakeMarcoFalkelaanwj
Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 18:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me