Dear Maintainer,

For security, I set a short validity period on my key and renew this every year
by repeatedly extending the expiry date. However I keep forgetting to send the
key to keyring.debian.org, and it's the second time this has happened. Since
the keyring-maint team usually updates debian-keyring once a month, it means I
can't do any uploads for a month, which is pretty inconvenient.

I've attached a script that prints the soon-to-expire keys from debian-keyring.gpg.
You can run it like this:

$ ./dd-expiry "2 months" now
5394479DD3524C51 1520360331 2018-03-06T19:18:51+01:00
88237A6A53AB1B2E 1521137128 2018-03-15T19:05:28+01:00
2FD8BEDAC020EED1 1521756999 2018-03-22T23:16:39+01:00
FF55C8F4DAE92422 1522357905 2018-03-29T23:11:45+02:00
6C8F74AE87700B7E 1522940258 2018-04-05T16:57:38+02:00
9AF46B3025771B31 1523261856 2018-04-09T10:17:36+02:00
8CBF9A322861A790 1523450637 2018-04-11T14:43:57+02:00
D04BA3A00125D5C0 1523561253 2018-04-12T21:27:33+02:00
792152527B75921E 1524162229 2018-04-19T20:23:49+02:00
AB645F406286A7D0 1524227017 2018-04-20T14:23:37+02:00
965522B9D49AE731 1524351803 2018-04-22T01:03:23+02:00
9EDCC991D9AB457E 1524389562 2018-04-22T11:32:42+02:00
025AFE95AC9DF31B 1524721803 2018-04-26T07:50:03+02:00
0ABA650372FD9571 1524748809 2018-04-26T15:20:09+02:00
003A1A2DAA41085F 1525086689 2018-04-30T13:11:29+02:00
3F9219A67F36C68B 1525192781 2018-05-01T18:39:41+02:00
39091E8123CE1C09 1525312214 2018-05-03T03:50:14+02:00

It would be good if you could hook up the output of this script to an automatic
email reminder script, that emails those people to renew their keys.

We've discussed this internally in the past (we have scripts/chk_expiry
already which probably needs a bit of cleanup for gpg2) and never come
up with a solution that we actually rolled out. I have a few unanswered
questions about doing such a thing:

*) What email address do we email from? The keyring-maint role address?
   Something else where we can just drop the bounces?

*) Which email address do we notify about the key expiry? The primary
   UID (not always well specified)? All UIDs? The @debian.org address
   associated with the key (where available, doesn't work for DDs)?

*) How often do we email? Both in terms of how often do we run the
   checks, and how often do we alter someone about an upcoming expiry.
   Should it be something we do from a regular cron job, or something
   done after a keyring update?

*) Why is it keyring-maint's responsibility to manage key expiry
   notifications for people?

*) [Related, but a one off]: How do we handle long expired keys? There
   are keys that have been expired for nearly 3 years. Is there a point
   where we should submit them to MIA? If we're sending notifications
   perhaps there's an MIA notification as part of the same script?

J.

Hello,

On Mon, 5 Mar 2018 10:04:22 +0000 Jonathan McDowell <noodles@earth.li> wrote:

I would like to second this request because I recently made the same
mistake. Although I had uploaded my public key to the keyserver network
months ago, it was never synced with keyring.debian.org. I naively
assumed it would happen automatically. I followed the instructions on
https://keyring.debian.org/ and now I'm waiting for the keypush. In the
meantime I cannot upload any packages.

Either this one or from a completely new address which is only meant for
sending out those emails but is not supposed to receive messages.

In doubt I would suggest to notify all email addresses / UIDs, just to
be sure.

Once per week, three months before the key will expire. Both, a regular
cron job or after a keyring update, would work I guess as long as the
keyring push happens approximately once per month. This will give active
people enough time to react.

It isn't but I believe you would help to improve this service. Some
people like me didn't know that updated public keys are not
automatically synced, others forget it completely. In any case an
automated email would help to prevent those situations, which could mean
that DM/DDs are unable to upload for a month or longer.

If they have been expired for three years, it is very likely that the
developer in question is MIA. I believe it would be helpful to inform
the MIA team about it and ask them to check the situation. This
could/should? be handled differently.

Regards,

Markus

Hi,

Is there a security-related reason why the key servers are not synced?

If it is safe to do it occasionally, isn't it safer to do it all the
time---especially to get revocations?

Kind regards,
Felix Lechner

Hello!

I am also in favor of this idea. I renewed my key a couple of weeks
before it expired, but I should have renewed it 2 months before. I did
not factor in the delay in the keyring releases (now already 6+ weeks
since last release).

Getting an automated reminder would indeed have been helpful.

I too would like to have such a service available, having let my key
expire again recently.

I've sometimes set up a local cron job to nudge me by checking the
installed debian-keyring package, but that package doesn't always get
updated (and I occasionally hear it's been talked of not including a
package at all?). I kind of liked not having to have network access
(other than normal package updating processes).

Maybe I could run a cron job polling keyring.debian.org directly on some
debian infrastructure instead (any suggestions where?)... but if I'm
doing this for myself, others surely could use it too; a shared cron job
that people could call to opt in to might be nice, and then they could
control the email address to send and how often they want the reminders
themselves...


live well,
  vagrant

I would certainly appreciate Debian running this kind of service.

From a recipient PoV I would find it most sensible to receive such
notification from the keyring maintainers, but I recognize that it would
be an additional task that technically need not be tied to that same
team.

Thanks to Ximin for for the initiative, and to Felix for running a test
service from riseup.net: I've been bitten by this in the past, and was
happy to receive a warning from Felix.


 - Jonas

Let me think out loud to this bug report...

Jonas Smedegaard dijo [Wed, Sep 23, 2020 at 08:43:03AM +0200]:

I too think this would be an important addition, but have been unable
to put the time into this; some of you might have noticed that
starting some months ago, while pushing a keyring update, I send a
mail to everybody whose key is _already_ expired; doing this is quite
easy:

/------------------- https://salsa.debian.org/debian-keyring/keyring/-/blob/master/t/no-expired.t
| #!/bin/sh
| # Looks for expired keys in our active keyrings
| set -e
|
| find_expired () {
| 	k=$1
| 	gpg --no-options --no-auto-check-trustdb --no-default-keyring \
| 		--keyring "./output/keyrings/$k" --list-keys --with-colons \
| 		| grep -a '^pub' \
| 		| awk -F: -v keyring=$1 \
| 		'$2 == "e" {print keyring ":\t0x" $5 " expired on " strftime("%F %T", $7) " (" $10 ")"}'
| }
|
| fail=0
| for keyring in debian-keyring.gpg debian-maintainers.gpg \
| 		debian-nonupload.gpg; do
| 	find_expired $keyring
| done
|
| exit $fail

I suck at awk, so I would rephrase the last command in the pipeline
with:

ruby -r date -n -e 'flds=$_.split(/:/); next unless flds[1] == "e"; \
   exp=Date.strptime(flds[6],"%s"); puts "%s: %s expired on %s" % \
   [ENV["k"], flds[4], exp.strftime("%Y-%m-%d")]'

That (plus exporting k in the shell to the environment) would leave it
functionally equivalent to what we currently have, and would allow us
to replace it with:

ruby -r date -n -e 'flds=$_.split(/:/); today = Date.today; \
    onemonth = today+30; exp=Date.strptime(flds[6],"%s") rescue nil; \
    next if exp.nil? or exp >= onemonth; \
    puts "%s: %s expired on %s" % [ENV["k"], flds[4], \
        exp.strftime("%Y-%m-%d")] if exp <= today; \
    puts "%s: %s will soon expire (%s)" % [ENV["k"], flds[4], \
        exp.strftime("%Y-%m-%d")] if exp > today and exp <= onemonth'

That gives us a nice list that presents expired and soon-to-expire
keys -- Including information potentially useful today, of course!

debian-keyring.gpg: 049B6D88E31734DB expired on 2019-08-17
debian-keyring.gpg: 13EC43EEB9AC8C43 will soon expire (2020-10-02)
debian-keyring.gpg: 17B1CA7D64089528 expired on 2020-06-12
debian-keyring.gpg: 1CFC22F3363DEAE3 expired on 2020-06-17
(...)

...But I have to leave the topic as it is right now, as my family
calls me. From here, this script can be easily modified:

https://salsa.debian.org/debian-keyring/keyring/-/blob/master/scripts/mail_expired.rb

And we would have everything in place to notify people whose key is
to expire soon.

So, I will try to add this later today (but other keyring-maints, your
input is much appreciated before that!), or falining that... Soon™.

On Wed, Sep 23, 2020 at 08:26:05AM -0500, Gunnar Wolf wrote:

[…Technical stuff…]

Wonderful, thank you for working into making (part of) our lives easier!

Regards

David

David Prévot dijo [Wed, Sep 23, 2020 at 10:49:33AM -0400]:

:-]

I will add this, but not to this script (thinking during
breakfast... The script I modified is part of our test suite, and it'd
be wrong to mark soon-to-expire keys as failing). But I think I will
modify in this same way the mail_expired script - making it not
consume from the no-expired test, but asking directly from gpg.

I also just (!) took notice of this bug report and its history;
although we informally discussed this a long time ago, I'd like to
give _my_ answer to Jonathan's questions¹. Note that they are _my_
take on that, just as ⅓ of the relevant team (where Jonathan is
another ⅓).

¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892058#10

- What email to notify from? I think it can be keyring-maint@d.o. Why
  not? It's not going to be so massive, and if we get bounces... Well,
  they will not be hundreds of them.

- Which mail to notify? I think just the @debian.org address should
  suffice. Yes, we know of some DDs that disable this address, but I
  don't think they are significative enough for us to even notice.

- How often? I often do a mail every time I push out a keyring (which
  is, approximately, one out of three months). I think we could do
  this run on a monthly basis, notifying people that are to expire in
  two or three months time.

- Why is it keyring-maint's responsibility? It is not, but it is a
  service we can perform, much like any other person can. It just
  happens that we have all of the data in our hands.

- How long to care for long expired keys? I often mail everybody with
  an expired key, but it'd be quite easy to have some different mails
  -- Could be along the lines of "Key about to expire, please act now"
  (-2 to 0 months), "Key recently expired" (0 to 3 months), "Do note
  your key has expired" (3 to 12 months), "Key long expired" (12 to 24
  months), and... "Radio silence, please call in MIA".

I was going to say it would be nice if there was a month or two advance
notice, but looking at the bug log, it seems this is only due to the first
run of this being just before my key was due to expire, and the idea is
there would normally be two or three months notice? If so, perfect!

It's very good, thank you very much!

FWIW, I would have expected MIA to be contacted for anyone who's key is
expired for more than a few months.

(Also, couldn't anyone write a script to synchronise the keyservers for
expiring keys? Step 1: get a list of Debian keys that will expire in
the next 6 months; Step 2: download them from any key servers; Step 3:
if any of them have an updated expiry date, export and send to Debian's
keyserver. No need to be keyring-maint or have the secret key for any
of those steps. Could sync for new sigs as well, but that might get
tedious)

Cheers,
aj

Hi Felix e.a.,
<snip>

<aol>me too!</aol> : yes i very much appreciate this service, thanks a lot!

Bye, Joost

Hi Gunnar,

Here is the script I used for today's reminders. It is attached just
for the record. I am still working on automating the uid selection,
the sending of messages, and also calculating the subkey expirations.

Kind regards
Felix Lechner

A really great service, as my key often times out.

Maybe the reminder is a bit early:
- key expires on 24th dec
- last chance is 24th nov
- got reminder 22th oct

Jérémy

Hi Jérémy

The bug suggested sending out monthly reminders, two months out. That
way people get two reminders. Perhaps it should be configurable in
db.debian.org. How long do you usually extend your key? Is it just a
year? Thank you!

Kind regards
Felix Lechner

Le jeu. 22 oct. 2020 à 16:48, Felix Lechner <felix.lechner@lease-up.com> a
écrit :
I suppose a one-month reminder is long enough for vacations,
and some days before is good enough to catch up if the first was missed.
Longer delays might just give the same result: forgetting to do it at the
right time.

Jérémy

Thanks for this reminder.

More importantly, thanks for providing the right links to documentation.
Setting the new expiry date (and sending the key) was done in less than 5mns.

All the best

Thank you for implementing this service. It was a great reminder and
easy to follow the instructions. The only thing I may suggest is
perhaps mention how to verify that the keyring.debian.org server
received the update. It seems that doing --recv-keys a few minutes
later (but not immediately!) will show the updated key, with the new
expiry.

Sincerely,
-Alex

Hi,

The script to send the reminders for expiring keys is now available here:

https://salsa.debian.org/lechner/key-expirations

Kind regards
Felix Lechner

As I commented on
https://salsa.debian.org/debian-keyring/website/-/merge_requests/4

Although the updated key can be confirmed by --recv-keys, it still not
be effective yet, I guess. The final confirmation is mentioned on
wiki:
- https://wiki.debian.org/DebianKeyring

(replace user with the debian ID)
$ finger user/key@db.debian.org | gpg --list-options show-keyring 2>/dev/null

Cheers,

It was my understanding this is the confirmation the key had made it
to the keyring package. I was hoping to confirm the key had been
successfully received, and then later rolled out.

Sincerely,
-Alex

Hi Felix,

Thanks for sending out that reminder.

I have extended the expire date of my PGP-key
and did send it to keyring.debian.org.


Regards
Geert Stappers

For once in many many years, I have not uploaded something after my key has
expired and wondered why it bounced.

Thanks for the note.

 - Craig

Hi,

Yes, this service is very useful. I always set my key to expire on Feb
1st, and renew it on December of the previous year. I usually set a
reminder in my calendar, but this year I failed to do that. :)

Even when I don't fail to set a reminder, this is important enough that
some reduncancy is useful. OTOH it would be nice for people to be able
to opt out, though.

Many thanks for reaching out to me with this reminder, I wouldn't have
noticed before it was too late otherwise.  I have now updated my
expiration dates, hoping it wasn't too late for the monthly update.

/Simon

sön 2020-12-13 klockan 06:02 -0800 skrev Felix Lechner:

Felix Lechner <felix.lechner@lease-up.com> writes:

Thanks for this reminder I got saved :-). Last 2 consecutive years I
forgot to update my keys and during DPL election I had to bug Gunnar at
last minute to pull in my key changes.

Cheers,
Vasudev

Very much appreciate the reminder, thank you Felix for sending these out!

I don't think it matters. I got an email from an email address that was
not a debian email address (Felix's email), and it worked.

If you don't want to deal with the bounces to keyring-maint, just make
something else, keyring-maint-reminder or something?

All of them seems fine.

It isn't anyone's responsibility, I'm not sure it has to be. However, it
is nice if someone does this. Felix sent these reminders, but I don't
think it is now his responsibility, I just appreciate Felix for doing
this.

Hi Felix,

thanks you very much for this service. Worked great for me. :-)


Bye,
Erik

Am 17.02.21 um 04:19 schrieb Felix Lechner:

...

(Bcc: Felix)

Felix Lechner <felix.lechner@lease-up.com> writes:

Please count me among those who found these reminders helpful.  Thanks!

Am 18.03.21 um 01:32 schrieb Felix Lechner:

I find the reminders very helpful, every time I get them. Thank you very
much for that!

Though one thing that bothers me about them, is that the email says,
that the keyring update will happen on the 24th of each month, which
leaves me with about a week to update my key, before it is too late.

Under regular circumstances this is of course enough for me to extend
the expiration under regular circumstances, but I imagine if I were on
vacation and didn't have access to my master key, I might very well find
myself in a situation where I get the reminder, but don't have the means
to actually extend my key before it is too late.

Maybe the reminder should be sent earlier in advance? If the reminder
was sent one week before the second-to-last keyring update that would
leave people with two chances to get their key extended in time.
However, I also see that people have been complaining in the past, that
the reminder were sent too early in advance, so that's just my 2¢.

Regards
Sven

Le samedi 21 novembre 2020 à 19:50:41-0800, Felix Lechner a écrit :

This is very neat!

Hi Sven,

Thank you for your kind words!

According to my records, you may have received an earlier reminder—on
February 16, California time. Can you find it?

~ Subject: Your Debian key is expiring
~ To: Sven Bartscher <kritzefitz@debian.org>
~ From: Felix Lechner <felix.lechner@lease-up.com>
~ Content-Type: text/plain; charset="utf-8"
~ Content-Transfer-Encoding: 7bit
~ MIME-Version: 1.0
~ Message-Id: <E1lCDKF-002WhL-Es@lechner-desktop.us-core.com>
~ Date: Tue, 16 Feb 2021 19:16:27 -0800

I currently send out two reminders prior to expiry, about a month
apart. I follow Otto's recommendation from a year ago [1]. Ximin also
implemented that in a script submitted when filing this bug. [2]

In the past, I additionally sent out reminders for keys that expired
less than a month ago, but stopped for fear of spamming people. My
goal is just to be helpful. Thank you for reading!

Kind regards
Felix Lechner

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892058#25
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892058#5

Hi Felix,

Am 18.03.21 um 15:18 schrieb Felix Lechner:

I actually have received it and probably just forgot to actually act on
it. Thank you for your assistance and sorry for the noise!

Regards
Sven

Hello Felix,

El 23/03/21 a las 12:47, Felix Lechner escribió:
...

Extending my key's expiring date was in my ToDo list (this time). I indeed like
this service. I think gpg key should have expiring dates, but that
implies that Debian contributors should remember to renew them on time.
This service helps to avoid being blocked to make our debian duties.

Thanks,

Hi,

Thanks for the timely reminder with all the relevant dates included.
I find this service useful and I'm grateful for it.

Thanks for the heads up, that’s really useful !

Happy hacking,
--
Aurélien

Date: Thu, 22 Oct 2020 07:47:42 -0700 >From: Felix Lechner >-------------

Date: Sat, 21 Nov 2020 16:38:53 -0500 >From: Alex Chernyakhovsky

...

Thanks for the reminders!

Now I just need to time my future expiry closer to the keyring-maint
cycle to minimize the risk of downtime... :)

live well,
  vagrant

[...]

Thanks, that was really helpful. :)

Thanks Felix Lechner for the reminder about the expiration of my GPG key
approaching. I found it very useful!

Best wishes,

Cédric

Very useful service, thanks for providing it!


Bernd

This service was really helpful. Otherwise I would have missed the
deadline, probably.

Jan

Thanks for the heads-up. I would probably have forgotten to renew my key
without this reminder.

All the best

Thanks for the annual ping. You helped me avoid pain several years in a
row now.

Now this is a useful service! Thanks a lot for the ping!

Thanks for the ping!

Last time I didn't notice my key was about to expire and as a result a
few uploads of mine got delayed by the key refresh in the keyring.

Cheers,

Thanks for the ping! This is very much appreciated.

Best,
_g.