Bug 1043276

Summary: release key N should be signed by release key N-1
Product: [Fedora] Fedora Reporter: Josh Cogliati <jrincayc>
Component: sigulAssignee: Miloslav Trmač <mitr>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dennis, mitr, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-23 15:50:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Cogliati 2013-12-15 15:55:46 UTC 
Description of problem:
The release keys at https://fedoraproject.org/keys are self signed.  I think that the release keys should be signed by the previous version.  

Version-Release number of selected component (if applicable):
fedora-release-19-5.noarch

How reproducible:
Very.

Steps to Reproduce:
1. wget https://fedoraproject.org/static/246110C1.txt
2. gpg --import 246110C1.txt
3. gpg --check-sigs 246110C1

Actual results:
pub   4096R/246110C1 2013-05-16
uid                  Fedora (20) <fedora>
sig!3        246110C1 2013-05-16  Fedora (20) <fedora>


Expected results something like:
pub   4096R/246110C1 2013-05-16
uid                  Fedora (20) <fedora>
sig!3        246110C1 2013-05-16  Fedora (20) <fedora>
sig!         FB4B18E6 2013-05-16  Fedora (19) <fedora>

Additional info:
I expected that the Fedora (20) key should have been signed by the Fedora (19) key.  This would let me verify that somehow or other the Fedora (20) key I am downloading has not been substituted.  

This has been complained about on the web at
http://www.reddit.com/r/linux/comments/rfvhl/why_arent_the_fedora_gpg_keys_signed_question_in/
Comment 1 Dennis Gilmore 2013-12-16 21:55:22 UTC 
Reassigning to sigul because AFAIK it doesn't allow us to sign other keys. note that we are shipping keys for newer rleases in older releases fedora-release packages. you can build trust that way.
Comment 2 Fedora End Of Life 2015-05-29 09:59:58 UTC 
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 3 Josh Cogliati 2015-05-29 12:09:51 UTC 
Still in Fedora 22
$ gpg --check-sigs 8E1431D5 A29CB19C
pub   4096R/8E1431D5 2014-07-09
uid                  Fedora (22) <fedora>
sig!3        8E1431D5 2014-07-09  Fedora (22) <fedora>

pub   4096R/A29CB19C 2014-07-09
uid                  Fedora Secondary (22) <fedora>
sig!3        A29CB19C 2014-07-09  Fedora Secondary (22) <fedora>
sub   4096g/9A007DB4 2014-07-09
sig!         A29CB19C 2014-07-09  Fedora Secondary (22) <fedora>
Comment 4 Dennis Gilmore 2016-02-23 15:50:29 UTC 
We do not have access to the keys to be able to fulfill this request.