CI: signing key does not match published one
antondlr opened this issue · comments
As discussed internally;
pub rsa4096 2020-11-27 [SC] [expires: 2036-11-23]
15E66D941F697E28F49381F426416DC3F30674B0
uid [ unknown] Sigma Prime <security@sigmaprime.io>
sig 3 26416DC3F30674B0 2020-11-27 Sigma Prime <security@sigmaprime.io>
sub rsa4096 2020-11-27 [E] [expires: 2036-11-23]
sig 26416DC3F30674B0 2020-11-27 Sigma Prime <security@sigmaprime.io>
does not contain the (newly-added, 20230227) signing subkey that we use for signing Siren releases:
pub rsa4096 2020-11-27 [SC] [expires: 2036-11-23]
15E66D941F697E28F49381F426416DC3F30674B0
uid [ unknown] Sigma Prime <security@sigmaprime.io>
sig 3 26416DC3F30674B0 2020-11-27 Sigma Prime <security@sigmaprime.io>
sub rsa4096 2020-11-27 [E] [expires: 2036-11-23]
sig 26416DC3F30674B0 2020-11-27 Sigma Prime <security@sigmaprime.io>
sub rsa4096 2023-02-27 [S]
sig 26416DC3F30674B0 2023-02-27 Sigma Prime <security@sigmaprime.io>
so we either have to:
- update the published key on
keybase.io - revert to a version that does not have that subkey in CI
- modify CI to specifically not use the signing subkey
I could do (3) probably but would prefer (1) or (2)
gpg --verify siren-v1.0.1-x86_64-unknown-linux-gnu.zip.asc
gpg: assuming signed data in 'siren-v1.0.1-x86_64-unknown-linux-gnu.zip'
gpg: Signature made vr 25 aug 21:39:43 2023 CEST
gpg: using RSA key 33529CF9962816DC16B4D6254EBBF0959B313321
gpg: Can't check signature: No public key
sec# rsa4096 2020-11-27 [SC] [expires: 2036-11-23]
15E66D941F697E28F49381F426416DC3F30674B0
uid Sigma Prime <security@sigmaprime.io>
ssb rsa4096 2020-11-27 [E] [expires: 2036-11-23]
33679A097ADCF6797525C4357ACF1E5A8D9E2514
ssb rsa4096 2023-02-27 [S]
33529CF9962816DC16B4D6254EBBF0959B313321
closing since we're no longer signing releases