Red Hat has used RPM for software package distribution for decades, but we now know RPM contained a nasty hidden security bug since Day One. It's now been unveiled and a repair patch has been submitted.
Installation / verification should not pass if the (sub)key(s) has been revoked or expired · Issue #1598 · rpm-software-management/rpm
Shouldn't RPM treat the revoked (sub)key(s) as no longer valid? I'm trying to fix the simple use case with the only revoked subkey. IOW after importing: sec rsa4096/D8D1E0ECD0EE67F7 created...