GPG signatures have a timestamp which is checked and if it's in the future, verification will fail. Signed-off-by: Florian Pritz --- Way simpler than the last version, but I'm not sure if this is the appropriate place or if we should use the status variable to tell the front end about the failure and handle it there. lib/libalpm/signing.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 1e41716..f39e037 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -530,6 +530,10 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, string_validity(gpgsig->validity), gpgme_strerror(gpgsig->validity_reason)); + if(gpgsig->timestamp > time(NULL)) { + _alpm_log(handle, ALPM_LOG_WARNING, _("System time is behind signature timestamp. Verification will fail.\n")); + } + result = siglist->results + sigcount; err = gpgme_get_key(ctx, gpgsig->fpr, &key, 0); if(gpg_err_code(err) == GPG_ERR_EOF) { -- 1.7.11.1