Bug 1000027

Summary: validate-sat-cert.pl validates the entitlements certificate even if the PGP key has been expired
Product: Red Hat Satellite 5 Reporter: Tomas Lestach <tlestach>
Component: Satellite SynchronizationAssignee: Tomáš Kašpárek <tkasparek>
Status: CLOSED WONTFIX QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 560   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-19 11:25:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 462714    

Description Tomas Lestach 2013-08-22 14:06:05 UTC 
Description of problem:
validate-sat-cert.pl ignores the fact the PGP public key expired and successfully validates the entitlements certificate

Version-Release number of selected component (if applicable):
sat560

How reproducible:
always

Steps to Reproduce:
1. Our current pgp public key in webapp-keyring.gpg expires at: 2014-02-15

$ gpg --list-keys --no-default-keyring --keyring spacewalk/config/etc/webapp-keyring.gpg
spacewalk/config/etc/webapp-keyring.gpg
---------------------------------------
pub   1024D/06947932 2004-02-18 [expires: 2014-02-15]
uid                  Red Hat Network (Satellite Certificate Signing Key) <rhn-feedback>
sub   2048g/C71F2F5C 2004-02-18 [expires: 2014-02-15]

Let's set the current date after this date ...
# date -s 'Aug 01 2015'
Sat Aug  1 00:00:00 EDT 2015

2. validate current entitlements certificate
# validate-sat-cert --keyring=/etc/webapp-keyring.gpg /etc/sysconfig/rhn/rhn-entitlement-cert.xml && echo $?
gpg: Signature made Fri 07 Jun 2013 11:40:36 AM EDT using DSA key ID 06947932
gpg: Good signature from "Red Hat Network (Satellite Certificate Signing Key) <rhn-feedback>"
gpg: Note: This key has expired!
Primary key fingerprint: 3E7B 88A8 BD63 A59F FCD6  8B58 9E72 9DAF 0694 7932
Certificate validated successfully.
0

Actual results:
See the note - "gpg: Note: This key has expired!"
And return value: 0

Expected results:
The certificate actually should not be successfully validated, the validation should fail.
Comment 3 Tomas Lestach 2017-07-19 11:25:56 UTC 
Based on Comment 1 I'm closing the BZ WONTFIX.