[Catalog-sig] getting the public key when --sign is used

Donald Stufft donald.stufft at gmail.com
Tue Nov 20 18:49:25 CET 2012

On Tuesday, November 20, 2012 at 3:41 AM, M.-A. Lemburg wrote:
> For the second requirement, updating the .asc file would be
> a solution. Alternatively, the packagers could check the revocation
> date and then still allow packages to be installed which were signed
> before the revocation happened.

No, if a key is revoked it can no longer be used. I may discover that 
my key has been compromised months after it was actually compromised
I would then revoke it. I have no idea if the person who (in the hypothetical)
signed any packages with my key, or for how long they've been doing so.

Once a key is revoked you must not trust it for anything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121120/5505058e/attachment.html>

More information about the Catalog-SIG mailing list