Installation / verification should not pass if the (sub)key(s) has been revoked or expired #1598
Description
Shouldn't RPM treat the revoked (sub)key(s) as no longer valid? I'm trying to fix the simple use case with the only revoked subkey. IOW after importing:
sec rsa4096/D8D1E0ECD0EE67F7
created: 2021-03-24 expires: 2023-03-24 usage: C
trust: ultimate validity: ultimate
The following key was revoked on 2021-03-24 by RSA key D8D1E0ECD0EE67F7 Dmitry Antipov <dantipov@cloudlinux.com>
ssb rsa3072/03CB9273F10DB1D4
created: 2021-03-24 revoked: 2021-03-24 usage: S
[ultimate] (1). Dmitry Antipov <dantipov@cloudlinux.com>
[ultimate] (2) CloudLinux, Inc. <info@cloudlinux.com>
the package previously signed as:
Signature : RSA/SHA256, Wed Mar 24 12:16:55 2021, Key ID 03cb9273f10db1d4
should not pass verification:
$ rpm -K foo-1.0-1.x86_64.rpm
foo-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK
and warning should be issued during an installation:
$ rpm -i foo-1.0-1.x86_64.rpm
warning: foo-1.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID f10db1d4: NOKEY