Expired key for deb.asc files

[nesc58]

Hi,
the key for signing and verifying the install files is expired.

Steps to reproduce:

1. Install the key

gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
gpg: key 50BDD3E0FC8A365E: 7 signatures not checked due to missing keys
gpg: key 50BDD3E0FC8A365E: "CoreOS Application Signing Key <security@coreos.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

2. Download the .deb files

curl -L https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb -o /tmp/rkt.deb
curl -L https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb.asc -o /tmp/rkt.deb.asc

3. Try to verify

gpg --verify /tmp/rkt.deb.asc
gpg: assuming signed data in '/tmp/rkt.deb'
gpg: Signature made Mon 16 Apr 2018 11:50:05 AM CEST
gpg:                using RSA key 5B1053CE38EA2E0FEB956C0595BC5E3F3F1B2C87
gpg: Good signature from "CoreOS Application Signing Key <security@coreos.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 18AD 5014 C99E F7E3 BA5F  6CE9 50BD D3E0 FC8A 365E
     Subkey fingerprint: 5B10 53CE 38EA 2E0F EB95  6C05 95BC 5E3F 3F1B 2C87

[squeed]

@ajeddeloh is working on it!

[darrenkearney]

I'm curious about the project and wanted to try out rkt on my Ubuntu system. I also came across this issue with the expired key for the Debian package.

Any luck signing the package with a new key? What's the story?

Thanks for your time!

[ajeddeloh]

@darrenkearney grab the new pubkey from https://coreos.com/security/ and it should be valid. We extended the subkeys still in use, the only one we didn't was the matchbox subkey, but those are now signed by dalton's personal key.

[onlyjob]

rkt packages are also in the official Debian repository where they are signed with current distro key(s).

[darrenkearney]

Thanks folks!