gnu gcc source archives signed with expired GPG key?
I'm in the course of rescuing a legacy app that got left behind and turned out to be needed on rare occasions, one of which occurred yesterday. I need to rebuild some libraries and the libraries have a strict dependance on gcc > 6.0 which the server sadly lacked by a mile. So I went looking for a newer gcc and found mirror sites here:https://gcc.gnu.org/mirrors.html such as http://www.netgull.com/gcc/releases/gcc-9.3.0/. (Aside: so many sites still answer over http, not https, oh yay!)
The gcc-9.3.0.tar.gz archive signature in gcc-9.3.0.tar.gz.sig is with the key for Jakub Jelinek listed on the gnu.org page, fingerprint
33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06.
This key is in the ancient keyring at https://ftp.gnu.org/gnu/gnu-keyring.gpg, and has expired.
Why are recent versions of gcc, of all things, being distributed this way? Is there some refreshed version of this key I'm not finding? Or a different mirror site using a different signing key?
The pedantic answer to your question is: when gcc-9.3.0 was released, the key was not yet expired:
$ gpg --verify gcc-9.3.0.tar.gz.sig gcc-9.3.0.tar.gz gpg: Signature made Thu 12 Mar 2020 07:32:47 AM EDT gpg: using DSA key A328C3A2C3C45C06
The signature was made in March 2020, but the key expired in September 2020:
gpg --list-keys A328C3A2C3C45C06 pub dsa1024/A328C3A2C3C45C06 2004-04-21 [SC] [expired: 2020-09-10] 33C235A34C46AA3FFB293709A328C3A2C3C45C06
So, the fact that it's expired now is not a cause for concern.
What is the cause for concern is that it's a 1024/DSA key, which is probably not considered sufficiently strong these days. However, I can also see that the author has a newer key created in May, 2020:
pub rsa4096/6C35B99309B5FA62 2020-05-28 [SC] D3A93CAD751C2AF4F8C7AD516C35B99309B5FA62
So, perhaps the next release of gcc will be signed with this key instead.