From Newsgroup: news.software.nntp

Hi all,

A few PGP keys used to sign NoCeM notices currently have an expiration
date. When the date is over, the notices are no longer processed, unfortunately. The ones sent by Eternal September NoCeM bot have been
in that case since a few days. Other ones will come.

I think that no expiration date should be put in PGP keys used for NoCeM purpose (like the ones used for control articles in hierarchy management). Updating such keys needs a manual intervention from each news admin, so
it's not practical for them if they need doing that frequently.

Instead of the GOODSIG status, GnuPG sends an EXPKEYSIG status for valid signatures that have expired.
So for the users of perl-nocem shipped with INN, in case you want to go
on processing notices signed with an expired PGP key, you may just want
to add this status in the script:

--- a/control/perl-nocem
+++ b/control/perl-nocem
@@ -536,7 +536,7 @@ sub pgp_check {
}
}

- if (/^\[GNUPG:\]\s+GOODSIG\s+\S+\s+(.*)/m) {
+ if (/^\[GNUPG:\]\s+(?:GOODSIG|EXPKEYSIG)\s+\S+\s+(.*)/m) {
return 1 if $1 =~ /\Q$issuer\E/i;
logmsg("Article $msgid: signed by $1 instead of $issuer for
$type");
} elsif (/^\[GNUPG:\]\s+NO_PUBKEY\s+(\S+)/m) {



I have successfully tested the change.


Also, I'm wondering whether we should not add an option to perl-nocem to accept notices signed with an expired PGP key (for instance "perl-nocem
-e"). It could then be used by news admins, if needed, without
modifying the code.
--
Julien |eLIE

-2-aSol attigit talos.-a-+

--- Synchronet 3.21a-Linux NewsLink 1.2