PGP key used to sign BB 4.2.0-0 shows expired?
In your instructions on verifying the source file, you mention D/L'g your key & importing into our keyring (in Linux, many use Seahorse).
If I made a mistake here, I apologize.
But when I d/l the latest key on SF & import it, gpg gives msg, "key D6D447B02B4D4C9D: "Andrew Ziem " not changed."
That is true - I had that key & gpg says it is expired (confirmed in my keyring app).
Now, I have a later? key for you that never expires, but gpg is saying the package bleachbit_4.2.0-0_all_ubuntu2004.deb, was SIGNED w/ the key (ID) above (ending in 4c9d).
The file I D/L'd: bleachbit_4.2.0-0_all_ubuntu2004.deb
Signature made Sat 30 Jan 2021 01:57:13 PM CST
gpg: using RSA key A9E582E4054A159315EDC943D6D447B02B4D4C9D
gpg: Good signature from "Andrew Ziem " [expired]
gpg: Note: This key has expired!
It appeared to expire on 05/24/2021.
The key I have that never expires has fingerprint
BEAD 694C 98D9 F228 1A9F 7487 5141 6DE6 0E68 87FD
It appears you need to re-sign packages released after the expiration date (if all were signed w/ expired key ID ending in 4c9d).
andrew
Sat, 06/26/2021 - 08:51
Permalink
A search at pgp.key-server.io
A search at pgp.key-server.io shows the key 2B4D4C9D was extended to May 2023 before it expired.
The BleachBit docs link to the gnupg.net keyserver, so I tried to check that, but it is temporarily down.
---
Andrew, lead developer