Bug 1000027 - validate-sat-cert.pl validates the entitlements certificate even if the PGP key has been expired
validate-sat-cert.pl validates the entitlements certificate even if the PGP k...
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Satellite Synchronization (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomáš Kašpárek
Red Hat Satellite QA List
Depends On:
Blocks: 462714
  Show dependency treegraph
Reported: 2013-08-22 10:06 EDT by Tomas Lestach
Modified: 2017-07-19 07:25 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-19 07:25:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Lestach 2013-08-22 10:06:05 EDT
Description of problem:
validate-sat-cert.pl ignores the fact the PGP public key expired and successfully validates the entitlements certificate

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Our current pgp public key in webapp-keyring.gpg expires at: 2014-02-15

$ gpg --list-keys --no-default-keyring --keyring spacewalk/config/etc/webapp-keyring.gpg
pub   1024D/06947932 2004-02-18 [expires: 2014-02-15]
uid                  Red Hat Network (Satellite Certificate Signing Key) <rhn-feedback@redhat.com>
sub   2048g/C71F2F5C 2004-02-18 [expires: 2014-02-15]

Let's set the current date after this date ...
# date -s 'Aug 01 2015'
Sat Aug  1 00:00:00 EDT 2015

2. validate current entitlements certificate
# validate-sat-cert --keyring=/etc/webapp-keyring.gpg /etc/sysconfig/rhn/rhn-entitlement-cert.xml && echo $?
gpg: Signature made Fri 07 Jun 2013 11:40:36 AM EDT using DSA key ID 06947932
gpg: Good signature from "Red Hat Network (Satellite Certificate Signing Key) <rhn-feedback@redhat.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 3E7B 88A8 BD63 A59F FCD6  8B58 9E72 9DAF 0694 7932
Certificate validated successfully.

Actual results:
See the note - "gpg: Note: This key has expired!"
And return value: 0

Expected results:
The certificate actually should not be successfully validated, the validation should fail.
Comment 3 Tomas Lestach 2017-07-19 07:25:56 EDT
Based on Comment 1 I'm closing the BZ WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.