Please document your gpg keys

Question

Please document your gpg keys

yeikel opened this issue 2 years ago · comments

Yeikel commented 2 years ago

We use Dependency Verification and currently there is no documentation stating which keys are safe

Could you please document this?

For example,1.81 was signed using dcba03381ef6c89096acd985ac5ec74981f9cda6

But 1.82 was signed is using a 22E44AC0622B91C3

Here are some examples of other projects documenting what key they use to sign their artifacts.

https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://downloads.apache.org/logging/KEYS

Markus KARG · Answer 1 · Sun Apr 28 2024 15:52:16 GMT+0800 (China Standard Time)

Since we release 1.83 with a different signing key, is this issue still and issue?

Yeikel · Answer 2 · Sun Apr 28 2024 22:12:06 GMT+0800 (China Standard Time)

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

Markus KARG · Answer 3 · Sun Apr 28 2024 23:48:48 GMT+0800 (China Standard Time)

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

No it is not. According to https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key it should be found on a keyserver.

Yeikel · Answer 4 · Mon Apr 29 2024 01:14:58 GMT+0800 (China Standard Time)

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

No it is not. According to https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key it should be found on a keyserver.

Yes, but there are multiple key servers and there should be a way to link it back to the project. Storing it without any documentation creates the original problem described above.

For example,1.81 was signed using dcba03381ef6c89096acd985ac5ec74981f9cda6

But 1.82 was signed is using a 22E44AC0622B91C3

We should be able to find in the documentation what the expected key is and raise an exception if any new unknown and undocumented key is found with a release as it could be a compromised release

The SECURITY.md file is a good place to document that back in the repository.

For example, see this : https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents

Markus KARG · Answer 5 · Mon May 20 2024 22:19:39 GMT+0800 (China Standard Time)

Please find the GPG Signing Key for validation here: https://github.com/cbeust/jcommander/blob/master/SECURITY.md#gpg-signature-validation. 😃