signing key issues

[Kara-Zor-El]

Hey @IzzySoft, I wasn't sure the best way to contact you. Currently my Mac isn't turning on and I don't think I saved a copy of the private keys anywhere else. There is a chance I may have to change the signing key once more. If there's anything I can do to prove my identity or anything, let me know, so sorry 🥲.

Kara

[IzzySoft]

I wasn't sure the best way to contact you.

Totally fine this way, thanks!

There is a chance I may have to change the signing key once more

Details are outlined in How to keep your key safe and what measures to take for the event of loss? Quick check:

• your "old" keys are not available for verification (Todo: make backups at a safe place, e.g. an encrypted USB stick)
• your commits are not signed (Todo: start that, once set up it's quite easy to deal with 😉)
• There's no alternative way of contact recorded, so we cannot verify "off the record"
• There's no "trusted person" named that can vouch for you

That makes verification pretty hard. Apart from which, everyone using your app will have to uninstall and reinstall whenever the key changes…

I'm out of ideas how we can perform the verification – but maybe reading the linked article gives you an idea?

[Kara-Zor-El]

Hi,

I can use my original key (I still have that on my previous computer). I can start signing commits now. In order to contact me, please refer to here: Contact Me. Additionally, there's a few people who can vouch for me. jmshrv, sevenrats, and jdk-21 are part of the Tentacle API used here who all have alternative ways of contacting me as well (not @'ing them that way not to disturb me). Additionally, Chaphasilor who works on Finamp has committed to this repo.

Thanks, Kara

[IzzySoft]

Apologies for the delay, Kara – I didn't forget you, just was drowning in other tasks (actually, still am).

Well, verifying this now seems to be a tricky thing. Yes, definitely start signing commits now, it's never "too early" for that. For the other details, let me play the "devil's advocate" for a moment:

Assuming someone managed to take over your Github account:

• they'd have changed that "contact me" accordingly. Check: not likely here luckily; the latest properly signed APK dates 2024-02-19, the last change to the Readme was 5 days earlier. Good, let's see how we can use that.
• I cannot check how your Github account is set up. It could use the same email address you gave there, and that email might have been compromised to take over the repo. Check: not possible for me. Check2: contact information also have Matrix, which is not related to Github and thus, as we saw the Readme was last updated before that signed APK, could be used.
• As far as I could tell (not claiming this, just to make sure), mentioned people could be associates of the "imposter" – as apart from Chaphasilor none of them has contributed to the project in the past. And then just 2 commits at one point (you're still the major contributor here).

So you see, things can get tricky if one wants to make "absolutely sure" and have some proof to show. So it's good to take precautions as early as possible. But we'll get this sorted.

[IzzySoft]

OK, thanks Kara! We've successfully verified on a different channel now. Just go ahead then as discussed, and we'll switch to another key if needed.