[META] Publish PGP key for signing releases

[paulcmal]

Description

I couldn't find the PGP key 8C4033A23895237CB27D52D9D9B5613BEB813F99 that signs the releases. I've tried many different keyservers. I've even tried importing the keys you use in the tests on this repo, but they're not the one :)

After giteabot compromission, someone already suggested that you publish your key. They were given an answer that it would take place before 1.5.0.

I just thought opening an issue might help remembering about it :)

Thanks for maintaining Gitea <3

[techknowlogick]

@paulcmal Thank you for opening this. I've just uploaded the public key to a well known key server: http://pool.sks-keyservers.net/pks/lookup?op=get&hash=on&fingerprint=on&search=0x2D9AE806EC1592E2 (or if you prefer the MIT key server https://pgp.mit.edu/pks/lookup?search=0x2d9ae806ec1592e2&op=index ).

[paulcmal]

I've just uploaded the public key

Sorry but i'm a bit confused. Is this a different key than the ones that were used for 1.4.3 and 1.5.0-rc1?

[lafriks]

It's the same key. Seems to be working just fine for me:

$ gpg --keyserver pgp.mit.edu --recv 0x2D9AE806EC1592E2
gpg: key 2D9AE806EC1592E2: 1 signature not checked due to a missing key
gpg: key 2D9AE806EC1592E2: public key "Teabot <teabot@gitea.io>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify gitea-1.5.0-rc1-linux-amd64.asc gitea-1.5.0-rc1-linux-amd64
gpg: Signature made trešdiena, 2018. gada  4. jūlijs, plkst. 00 un
gpg:                using RSA key CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: Good signature from "Teabot <teabot@gitea.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C9E 6815 2594 6888 62D6  2AF6 2D9A E806 EC15 92E2
     Subkey fingerprint: CC64 B1DB 67AB BEEC AB24  B645 5FC3 4632 9753 F4B0

[4oo4]

@lafriks This is only applicable to the binaries and not the actual git tags. I know you mentioned that the release tag signature depends on who the merger is, and "Github magic" (so more complex than the way the binaries are signed/verified), would it still be worth looking into being able to verify the git tags for those of us that build from source?

The binaries are obviously priority, but this would still be really nice to have for the source. I know that I'm able to do that with Bitcoin Core git tags, but it looks like they have only one person that signs the releases. Perhaps if there were a list of the user's keys that would be making releases, we could verify off of that?

By poking around the Github API, it looks like it's creating subkeys that are tied to something (either the Github account or the user's uploaded GPG key), but I can't figure out how to get a valid GPG key from it to verify what Github shows. I'm hoping that someone who is more familiar with Github (especially the API) can clarify what happens with signatures when doing a Squash and Merge and how to grab the right key.

Here's my attempts to try that:
For the most recent tag v1.5.0-rc1, we can see that according to Github the release was verified with key AECE216D007B1CCC, associated with @lafriks. When I try to retrieve that key (curl https://api.github.com/users/lafriks/gpg_keys), I get a base64 blob that is associated with that ID (in addition to key ID DFDE60A0093EB926 which appears to be one that was actually uploaded):

[
  {
    "id": 218891,
    "primary_key_id": null,
    "key_id": "002E9FFD10C56403",
    "raw_key": null,
    "public_key": "xsFNBFmv4asBEACtYpKTi3WeKvZL4vNhpGJ/66+GIW6S+n+Hct3XNH+25Gy0b91r4rH7eEkgERwn9cvYsLKop67N9nTTCUz4CM6RAWIYXEp9+/cU/h2hMs7rt3BmqGJA+8GHBmPsXDOJqBFiF0xOejgoQNw3FeS8WZ4VfJgX8z/dFwyeGHfPXk4TL+DN0li9T7gG96CEAQqu7AeXNVoO+Gw+sSC7pn4+lviXH9lsqO6pTPHIJs2N3MxuXhW2Tn3UldYhsTwWbv8cxPjPzRWgIVEAptNQmX7e0AW1qyCT8uuM7k8j1hb1o71q07tVgeE/xUGTByq0ngzDqwllr+oJ0gL+bZu9wr3aUf+VYn2VQS5CpaK3+Lc7A0qcsovWaKHQljqr5/T2vlLVuUQ5ZlIaimv0N5+j4NJixKtF2vGbdx6VjMvw28Eu88Cxn6j0SM999v6QfUNnYuThhQAnSVSQQX6n0MJQWrSfeB2JxElxCTZUv1H0j2vwdqaC8UrAQo5q/QvPXIWNbiylmrgHfndpwy4DLwOV1+v9wsKq7Xlit8bfrh3PnNT5VYXcriUgmPkX7AgalUWW7eU996VyTRT6kARsea//4lPxyVbmKsbhbATPh9dqSScOoeo4tReJ6Xfkc9/IRqhXMAWPWCyeR769HRK5SNqBvFt2SP6n+UAZjftqMpV5JY1ewSqA0wARAQAB",
    "emails": [
      {
        "email": "lauris@nix.lv",
        "verified": true
      }
    ],
    "subkeys": [
      {
        "id": 218892,
        "primary_key_id": 218891,
        "key_id": "6E25973C4BACF28D",
        "raw_key": null,
        "public_key": "zsFNBFmv4asBEADRfJDkCFCey4pCM7OD5C+6Gp9racCyC2MwPr7/YJ5DtB5pEHCOU8UB9S2vMEYExj1isUGKQ5G1sZFumXJa0ZxOdpxHwhAcv4K5hA8dRG4ox5HQpfdweDrsRUBKSp6yZCWiqBDc7213sRkH91tzgPjEQs+XWp6GnudAwH/kVwMtbnIoP8EyxP++sYeMysPyEDDXE6rHUVVqgh8zSdkrQ4W56FxrJe68usihZwAztPMz5D0eGFpOMftFcrAFSY4tXfwKKH8oZUe1yo2L1EMOQftZdoz1aS4JCjFKKxxT1TWoQ1CxLYKLGbQicSxEl1PaMfIrQBC6TVV8i8p43A2Cva/IiIfHwdkMd97bauWyFng14HYnXx8jJpmdPDps6pHrNEjAcC8gkBkN8BizjnfbLGbNyYfREVrz0UzehhjBPFxgdba2dpjsDAkQPqMu/gX+A8vUWSaRe9TKajDtoMNzPFn6xfxwY1U9eyhEU8xmUAU1B2s1JkEyO+0g4n+UxtZ0qwJtp6jWlHmZNzocQO82SzODaytvzs3keeEiw/CYwr6D9Nov1SZ65FO39Z6PngQpXeZKufiy8iDKDRDckPp41pT+cHt+yFPHrA7BEw3wWJQwJOmPWB9WOSvZ4t62CTQDhCEDq++uWfohJmbigmNw8+em34K94e/TjOQd5a023I7bhQARAQAB",
        "emails": [

        ],
        "subkeys": [

        ],
        "can_sign": false,
        "can_encrypt_comms": true,
        "can_encrypt_storage": true,
        "can_certify": false,
        "created_at": "2017-09-06T11:54:43.000Z",
        "expires_at": null
      }
    ],
    "can_sign": true,
    "can_encrypt_comms": false,
    "can_encrypt_storage": false,
    "can_certify": true,
    "created_at": "2017-09-06T11:54:43.000Z",
    "expires_at": null
  },
  {
    "id": 176869,
    "primary_key_id": null,
    "key_id": "AECE216D007B1CCC",
    "raw_key": null,
    "public_key": "xsFNBFkIzMIBEADUCYRw3yXiCkzxYXWKh1xsYTU04w77VKs7psquG+LYSjl5juuavJzHKniaMMTCyMWpvslmC2ke+udY6nCAcm7lW+vaNo2eABjC9GTPjeuYkV/RpJy9V8ituo0o4NXdD+ekQaTqgSdutRMoUF+60obD83QNJxz0vOrHatESZlcFjKYDo3MVbT+Cy/9lgf2Osc7gx825vvuN75IvsUVb1BXdm3D7SGW3jTy62KCJzvOXX33UdxKN/zehRFM0qk36Iwr8Dmp8HaAhNXJ3MgzzN20kdA6MFhW8MsZmYVJVih/svA9BL+4EDE5u4bxsC3dSDbJpksWi1OTebvdl0P8gIEirpLsbfftvu89m7sm3JIWW3jj69SQjbAScNOlSm1hSxWSV6m0pSLZhG1cxcXR9AtW9SMOkgDc2/9mwocYmvqLD7GBOK/iV4Q0SchnNZZEHxXjxoHIfmsTingYqdU0GjDdsJcPKsLa2Sw+0jBQ/IfbaUH8gbUtiCkukSqR6rUGwkER8k8Ncamn1i3TlVNd7T2qF4i/dmaoAbCw3TNp5Uvp5pHITydHi352B9ntfQ4QXK62FP3XgMV1txVxEXt5rDhj8u/H5t34UK2v4xhI6VtCQQ1ewoTDrvpRX5nvlSfbRWsO3zV8Dc9s+lBOpe+ZBBT50xO+NHlk5fOz/JNYS4H7muQARAQAB",
    "emails": [
      {
        "email": "lauris@nix.lv",
        "verified": true
      }
    ],
    "subkeys": [
      {
        "id": 176870,
        "primary_key_id": 176869,
        "key_id": "103A91F0FF9869DA",
        "raw_key": null,
        "public_key": "zsFNBFkIzMIBEACyZuaertUVhqEnM+J1IW3iplTNIk8oZ4W4p34a9EIkjPK4E5U4Fqy6qQJA0xfGQQJKdxL/NNLcZT//2KKKf7tynMLGHQQzmfqUEmNuXxhaqfl5xs6qoXhRntq/0zmAPLUQ17kYqSFeICaBRf9B/EK76qx+oWK/cXPkhASK3xhYx0YpxZHpiEu5RcsuKEbjU2hFNWP3hGqqSVG9WBIvF+Sr+qzyqTpBMjcB5uq2jnxuOjHae64LmjpcxsmyrRM7qfxOKHZwA2yDNuCqBVIwUpraINREUUmZcKGMgiRaWEzEZ5nQYqa8sVIzwu2Dfw6rmUGX+HO4/KQ7RYE8h/5ASCA9WcsaIjeYhCLIENKyQ3mn3irsL/tA82/Ns5mJQmQkTu1QM0njAPcb2iMlCoTme6+GvUGji6pnxUDi/UTqqLGfmitq1kV11nfZoE3ETs5Ae5yv9Drw3Ag5LjqVIUKGo5f0ewSSk/UWG8MDdiN5RcZQDQHT+Prfe0iQm0+cieLc3X6HMQv2ygCIT8MCD0YSljftUjnal8gdGkGMMvYWmldkVgCAJwSfyb1mVjCG4EWJ8wNq3I+lVxX8dJ4iqlBJy07ZUT97T5RFMekWNkVW25iSvtugTXLwKAnEVBIdk2+GhyRL+FweKcgBxGHCzs3DY1UnQ07xO2GGjqJdPgQeIuYhEwARAQAB",
        "emails": [

        ],
        "subkeys": [

        ],
        "can_sign": false,
        "can_encrypt_comms": true,
        "can_encrypt_storage": true,
        "can_certify": false,
        "created_at": "2017-05-02T19:33:15.000Z",
        "expires_at": null
      }
    ],
    "can_sign": true,
    "can_encrypt_comms": false,
    "can_encrypt_storage": false,
    "can_certify": true,
    "created_at": "2017-05-02T19:33:15.000Z",
    "expires_at": null
  },
  {
    "id": 389730,
    "primary_key_id": null,
    "key_id": "DFDE60A0093EB926",
    "raw_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\r\n\r\nmQINBFs/sX8BEADFRdCf86KpGFpH65AijPqy368VLL4tmCBSiQBDzOGMSPxfZhVG\r\nkWKVMV1a0yGGxr6gugO3lnsuhvVTgjeVisVd/O29zzwtF/XCECkZ7qNqcrbqzwJG\r\nl6jcNTq0jkKd3gvPljAm5QJhx5zhSM6oVtvwjVW+sGQ9M0Wg5rd8YaeoO0Nu/ScQ\r\nNjVgP07WikwgUEDtSnAbBn1WfYXEnC799n0jWAwxg1VrNJjiBqjfYIoQJzUl1wZG\r\na8CaZCAg9QOuAiYFKj+rvzffJzl46uk1QLH2xD+5LKsH2HJ/7NJaGVYP8Kk9g8Ed\r\nD34ClLkI2WmsTMeQJ9AWu0dHjgyKh8J1P5L7CUqCnCmtocUm3TI8Fn9SZ8o+f9SU\r\neASt7EGXRsxj4rR6Pp5akKBssnXSM0OzKbZ5jWhjtm3ow8Zfu9O2aFDs9R7Mn6Ec\r\nfKCTozfHtweQhl/qrkxgOHuns6ncEfoucPq0mbE58EsCf4v8GhKns7/oGWnIKlt8\r\nTGroiej/Xev8JEdvXyxYhx7yPmwk5ivUIC/3bMK+oESlvZCamRhg4H+A0mWrqkPD\r\neqBiuK7PvuGWY1+cZ1uL2wV81ymOfmjNq87GHvOfT4QhY9AIOl2B5iNkPutnzGGK\r\ndXoAhX8sCvkSKt9La5xR5GDbAiZaz0fznyz0osn+v6l7J44pKRvce+7XmwARAQAB\r\ntClMYXVyaXMgQnVrxaFpcy1IYWJlcmtvcm5zIDxsYXVyaXNAbml4Lmx2PokCTgQT\r\nAQoAOBYhBNj5Zy13wLtgoCTCPt/eYKAJPrkmBQJbP7F/AhsDBQsJCAcDBRUKCQgL\r\nBRYCAwEAAh4BAheAAAoJEN/eYKAJPrkmVY0P/RE4jPWzj1UE2jklLfqdwSPCBNgk\r\nG4C7MrmZqrDvhrGOHFmTnP6FH0++vnTCXILg8n8t1+5ZfDpf2qNTSuEZUyTFpOD6\r\nNzI4rjY2+fm5u1QYg+I/5S4y1YBnEk1AEhWpwPu0u3LnQD2GmL1S29MW8z+nJ8Wk\r\n44koM8hD3HhFZHdOV+7PxjsXj+kgn0uzaBegMV/VGRlUubf9QI6oXLY9qggBfovk\r\nzXDEPYyEDbonwLGe3AV/Tj8Esb/w5VZNQQmwh02NXi1QcnlssJGlx2i83Rt63UKN\r\nDQ4qB97KxfZUCmWoqIrHq6bJBQzVasW7kOnBxcQmFfCyfJM4QiewGkPMJt3+2xLy\r\nVBHjYK+PjllRrF0eaESkIOKiIZ6l49flau8pBPUIqKvF0I9TLPGsaDC0j71sX2M3\r\n7GBZeScUhlplvrUgox8airfvhu+J/EWSEPcMQ05rTUcIit4EI+2x3AlAQOg4gmXs\r\n8XHtL8eb/zVS2Ygv8EU5ijCxdnAKkFP/tUgn7LOE6KiAvXkD697sj9VhWpkn96RT\r\nmPSSYPQGvPGoA9GhBayBwpH27HU1OsDXGuAxtaYYVmihQ9fJW6decbI3gv53pHNM\r\nEt2nHJdQfiixWKb6kwv8DDhxWz+l2FxWJwnu8J1sTYV1lCLGsKrEpoDbqUuLDvcw\r\nC68OlO+YiQtt/Zo/uQINBFs/sX8BEADCJ7F16Nqlku7KEwpA0Hhvyd3PZBn0NrkT\r\nthTWkFfvW7Cpl5eDXGQU2HvfphPI2QUgr2EU6QwHrSeFgox14wMp1Js8X+Zts7V1\r\nnGZGjcHOEstrdeltNfAsPwPs4QWzoe9vC2aVMUNnnXQcAaew7ZDzmwP8Nvx0wcK9\r\n7hMZ/TUr7/WxA1ZN0Nx8npMQjr+LIZgi8Im8xEVihAX/0VdLXRW/nqXeNmye0ZT/\r\n8sQYYzFlyNB2/6ruWAdaRG+aDq3GWdw0LxH0mnZ4AF13su4vdWXBDASXCwwe8m0R\r\ndogdWp9zPEmH35TuVUI2O5pg/XJHDCId/KIno74RUjqTDGbrCiYrAUrmxwSRsTup\r\nl+kIMLRxXJ6/iCm5ejY9NyefmqSdgUjy9nxBFry1s+CMIh77bb0oHsJBXriT48ey\r\n4J3KqnShV6k1YeXqO1InoxPHN5JKLmvyPuXU91daADEI0h2v8HMIxgVAeMtmw0HW\r\nvEqeCxlJZFaKjC+vOZDhrBk6B5Sru7y0HxzSwzCm5YGIQf1ITuCOMwKLlnJEebAL\r\nutHB7wQ+VanXWaWh3GLRnc1zRga/6hjuEum8eI9ul3+UxRof2wxFyzk1ZILZiR54\r\n6+LdRVDL4HW+L3+eSRoH08YvSfQaX53M0KHnBgblxZTaNomdGmhPubfwWjiudN7Q\r\n080GumkkcwARAQABiQI2BBgBCgAgFiEE2PlnLXfAu2CgJMI+395goAk+uSYFAls/\r\nsX8CGwwACgkQ395goAk+uSbR+Q/8C301DLy2uzCdwhSxQ6BijnKplwCx81iwPMGn\r\n0pYHHu9WT2zfeRzSCTL916ghvEYUuPwqGPC4puPj8ChVHpJ7o/axDl6xK9MgzKtg\r\nlSr+3Az4eS6HLrpub7GlsL4bRu7pr17whFUnIpKzOSwA3nDDu3AuCibTb0rhlcFf\r\nqDixE98oIJDbN4AkketAl2uWkQVb0nwRTIqeA44NCjDj2/btVE/hAKm++Sj9Lky6\r\nqGM8ilblGIR8gAYbf5AffJ3muAK1Ex/zQY4dBjB247EPSl7dL9r3Y0Uh+SxWgZV5\r\nRkXhZlO8U+SxCN2oOiEDpC2rpxAkEJVxD1OH8Vm20hkBjbVaSdPK6z6NJPqV3iZn\r\n5p2+umm6+OBDDr49VkdkbK3jS+tq2VCnehrOcR8S6kqnzdZIB5JNTlW3j5PKRJjA\r\n9g8TvFr/7zv++atLxq0o+XynXj2IeeqOOrrWt3l9myFBhi7QF2/Z0GwwZutZNWgk\r\nrNCHtcM20nGaJh7LK5Dmk84XW0pXQHqNRhsz9tcLdx97wsj56ffIxuJyFYwxvCEp\r\nfK1GH47G79a+rADm0b4jmNCwcl6JPW18lp8SKGjSXkr44YxKo4JgJTYzAD4dlIe1\r\nXCc73exgkYyQ/d2s9R4jcn9gpd+wvTJGkO21x1ACYS/GX+bcLBCMGxSHwU7Xkg26\r\nIeEXflu5Ag0EWz+3AAEQALcHqoeqxe8uLktgcWjQxHsvOaxFt2nfBjPRIIoM5pn/\r\nO1enEQNhTU5BlwnkTdt+KY+vZItrXFdGOekMg6zJzeQrfkCxebRiEcDslvRUBeS0\r\nfFDCbnKnycM2EgGn8zSyIa6aCBJ0cxbwl7cDgucl0+68td8zhNmCuaeVVaRK07Qa\r\nQs3s4EgiMYMRtfmQU2Q1VW9kb1rcF2H6dRtzHmhlKlkJllRUxYVMs93qFF+EP409\r\nWgg7gua8NEkhvNkd2Ps6a4Cn+SirXuqYAbGT5LyWlN+DtFVo4U2sDVfUT3F++vAE\r\nzHo3HbRtF7GmbMermgodJDfUm7F1BDnbBfGoPlWHKwWtdJgv9ApTJi7H92EyfUTJ\r\n7QkmxKtCNNX+gVAhT0g/rkN/BaAqBChtyjQdp4R0OytELZRrLUj5srhHOpyR1ljG\r\nfU81Un3wGqhjo8jfC6/ZIj0eeaiJPkza6XTX0nO3RciHKTtABVSwfF+2WXZy0iky\r\nPbbe1NVzBLn6RBNyZ/rpYxaDWnuXnv1ngwRFqsl81JYTztYug3GjIDOfLaTG9DcQ\r\nyWpdxogkivlQK4FHTToIoWRvjRDZZfsDd8N+iDQ+K9C8CNffm8X46m78idO1OyZt\r\nt9TWtGrnjpSQql97rLcKUbBqiiS2w3QZMmdCT2/g7rtTUvNUMTYuhFsk7Ntk+OS9\r\nABEBAAGJBHIEGAEKACYWIQTY+Wctd8C7YKAkwj7f3mCgCT65JgUCWz+3AAIbAgUJ\r\nAeEzgAJACRDf3mCgCT65JsF0IAQZAQoAHRYhBB5Hg0u1qPH3nMXqW2mL2ZGxSeqV\r\nBQJbP7cAAAoJEGmL2ZGxSeqVdPwP/25MY9rBbN6hUvVbTktmaVmLxnP1I3LEsAUP\r\nLnHNGCT9rB/OiQRK6lZ+9rEEHoCjvaNKwOe079KbE0EroSn1uamvO1R+4RFdZZ3g\r\n8994GaI6PgKHUIsiUuPTQyT3bQMhlPsPsjGLkkM37JslYMT3QefJVC7hudbXRBuT\r\nmLbV4oICLY/GVKQDv3jjqQ3uTtcEC1hOoFgVBz7R/mZKMdqTYrIts9HVqOp/n1UL\r\ndB6YXYE0xklT0bfE6RHtcqffbB+oShQmgjUngW9CZRm2+yOh+fWzbTOynHrCj2c6\r\nxSOHCRigdkjItO4LenWJtvThW8p25P2w6TAQJFzk1G/pzJDrdrDk+QbEa325dXdg\r\nx8gCbzB1COXgZkIKgDUIi3SwMBZfwY+Nc9E3oWuPTqcj/YboD3UMLiERz4pXSIC9\r\nT40O22hr5EEPfiphL0221OZ3GOOYBf5CflpWQwMtXEFRzkQov8Uy6P/D0L8yFCK5\r\nDn20g88z8GFugN+Cy2F+CJ1Gs3GUh/foRUMpvIc58ZVLSeFJs6F+iCYtql9iqulV\r\nWYXYahcFBK2Fm++M2tnV8BOxJaLUrsv0mfw8Xd3NJcbDexDJnZWZysJfFPhbxsrV\r\nnWaYev84oIbvogZ/fYGWMR7ZMA7KZXnGFSUngEEelm10V1vDBBSA+WlarQcMNEGD\r\nOFT5CjKHFGkQALvYNSswR76zX9SVkYcnYQJwSce5M9Le5UnDnJqozlofaxwVTfME\r\n8MjZsRVjuW2MVIGTsmfBd+HK+0gmcwBWurvNcB6yLCqXDNV3qAREykdwKNGqY9hF\r\nsjSg+TXCyQkvT5PZKsX2NLeBWSfG0j0Lek0HrhRZbXjrwo6BZU69gmoornQIQxjt\r\ndyzn8sGG5EQq+myHZ2lpQcLqsZd7EwvDbCURrY3Xdpw/LT4fMtGgl+IR2yvPkBLV\r\neiVxIj3PyDZhluqkFFqV4oZ0WsujTzwTrBX8+TqeS3GSVwaZicziUgha8zIsDWLq\r\noGHDAdMICaeGri1I/AHOhBxDQNQMgkQ+YB+PArBQCwbWQw769hmYaSSNGX8iqSVz\r\n9vHDhsqJZuFc94iJ8xwIHgTVOr8PaAfryzlrGQ6y4BZDLqH3OemcTwUMWsoqDhir\r\nV7Z/LnByLAtLURqNhVeY63RmAj8lba5+BUXeY5yWKx4t60C7+P5M1rjMC2ebkaQT\r\nb/N971BZrJlqvNmBEZTVjwDnx4BbCkdKDUsxsJvcrDe7WyguVkkNvNChEqcKdilj\r\nEpFnkFSUrOpEKoNxb7xlJivFanT46paxebfRSMKljG/H2a2KI4bw8TZJY/kOZNWf\r\nVa8v1ZDytzI+w+6D0U4j62Cj5KuUjQ6RiJj9WagMhr/jC/2dffz03ysA\r\n=UqMk\r\n-----END PGP PUBLIC KEY BLOCK-----",
    "public_key": "xsFNBFs/sX8BEADFRdCf86KpGFpH65AijPqy368VLL4tmCBSiQBDzOGMSPxfZhVGkWKVMV1a0yGGxr6gugO3lnsuhvVTgjeVisVd/O29zzwtF/XCECkZ7qNqcrbqzwJGl6jcNTq0jkKd3gvPljAm5QJhx5zhSM6oVtvwjVW+sGQ9M0Wg5rd8YaeoO0Nu/ScQNjVgP07WikwgUEDtSnAbBn1WfYXEnC799n0jWAwxg1VrNJjiBqjfYIoQJzUl1wZGa8CaZCAg9QOuAiYFKj+rvzffJzl46uk1QLH2xD+5LKsH2HJ/7NJaGVYP8Kk9g8EdD34ClLkI2WmsTMeQJ9AWu0dHjgyKh8J1P5L7CUqCnCmtocUm3TI8Fn9SZ8o+f9SUeASt7EGXRsxj4rR6Pp5akKBssnXSM0OzKbZ5jWhjtm3ow8Zfu9O2aFDs9R7Mn6EcfKCTozfHtweQhl/qrkxgOHuns6ncEfoucPq0mbE58EsCf4v8GhKns7/oGWnIKlt8TGroiej/Xev8JEdvXyxYhx7yPmwk5ivUIC/3bMK+oESlvZCamRhg4H+A0mWrqkPDeqBiuK7PvuGWY1+cZ1uL2wV81ymOfmjNq87GHvOfT4QhY9AIOl2B5iNkPutnzGGKdXoAhX8sCvkSKt9La5xR5GDbAiZaz0fznyz0osn+v6l7J44pKRvce+7XmwARAQAB",
    "emails": [
      {
        "email": "lauris@nix.lv",
        "verified": true
      }
    ],
    "subkeys": [
      {
        "id": 389731,
        "primary_key_id": 389730,
        "key_id": "ECF9122A9ECF3A2F",
        "raw_key": null,
        "public_key": "zsFNBFs/sX8BEADCJ7F16Nqlku7KEwpA0Hhvyd3PZBn0NrkTthTWkFfvW7Cpl5eDXGQU2HvfphPI2QUgr2EU6QwHrSeFgox14wMp1Js8X+Zts7V1nGZGjcHOEstrdeltNfAsPwPs4QWzoe9vC2aVMUNnnXQcAaew7ZDzmwP8Nvx0wcK97hMZ/TUr7/WxA1ZN0Nx8npMQjr+LIZgi8Im8xEVihAX/0VdLXRW/nqXeNmye0ZT/8sQYYzFlyNB2/6ruWAdaRG+aDq3GWdw0LxH0mnZ4AF13su4vdWXBDASXCwwe8m0RdogdWp9zPEmH35TuVUI2O5pg/XJHDCId/KIno74RUjqTDGbrCiYrAUrmxwSRsTupl+kIMLRxXJ6/iCm5ejY9NyefmqSdgUjy9nxBFry1s+CMIh77bb0oHsJBXriT48ey4J3KqnShV6k1YeXqO1InoxPHN5JKLmvyPuXU91daADEI0h2v8HMIxgVAeMtmw0HWvEqeCxlJZFaKjC+vOZDhrBk6B5Sru7y0HxzSwzCm5YGIQf1ITuCOMwKLlnJEebALutHB7wQ+VanXWaWh3GLRnc1zRga/6hjuEum8eI9ul3+UxRof2wxFyzk1ZILZiR546+LdRVDL4HW+L3+eSRoH08YvSfQaX53M0KHnBgblxZTaNomdGmhPubfwWjiudN7Q080GumkkcwARAQAB",
        "emails": [

        ],
        "subkeys": [

        ],
        "can_sign": false,
        "can_encrypt_comms": true,
        "can_encrypt_storage": true,
        "can_certify": false,
        "created_at": "2018-07-06T20:34:39.000Z",
        "expires_at": null
      },
      {
        "id": 389732,
        "primary_key_id": 389730,
        "key_id": "698BD991B149EA95",
        "raw_key": null,
        "public_key": "zsFNBFs/twABEAC3B6qHqsXvLi5LYHFo0MR7LzmsRbdp3wYz0SCKDOaZ/ztXpxEDYU1OQZcJ5E3bfimPr2SLa1xXRjnpDIOsyc3kK35AsXm0YhHA7Jb0VAXktHxQwm5yp8nDNhIBp/M0siGumggSdHMW8Je3A4LnJdPuvLXfM4TZgrmnlVWkStO0GkLN7OBIIjGDEbX5kFNkNVVvZG9a3Bdh+nUbcx5oZSpZCZZUVMWFTLPd6hRfhD+NPVoIO4LmvDRJIbzZHdj7OmuAp/koq17qmAGxk+S8lpTfg7RVaOFNrA1X1E9xfvrwBMx6Nx20bRexpmzHq5oKHSQ31JuxdQQ52wXxqD5VhysFrXSYL/QKUyYux/dhMn1Eye0JJsSrQjTV/oFQIU9IP65DfwWgKgQobco0HaeEdDsrRC2Uay1I+bK4RzqckdZYxn1PNVJ98BqoY6PI3wuv2SI9HnmoiT5M2ul019Jzt0XIhyk7QAVUsHxftll2ctIpMj223tTVcwS5+kQTcmf66WMWg1p7l579Z4MERarJfNSWE87WLoNxoyAzny2kxvQ3EMlqXcaIJIr5UCuBR006CKFkb40Q2WX7A3fDfog0PivQvAjX35vF+Opu/InTtTsmbbfU1rRq546UkKpfe6y3ClGwaooktsN0GTJnQk9v4O67U1LzVDE2LoRbJOzbZPjkvQARAQAB",
        "emails": [

        ],
        "subkeys": [

        ],
        "can_sign": true,
        "can_encrypt_comms": false,
        "can_encrypt_storage": false,
        "can_certify": false,
        "created_at": "2018-07-06T20:34:39.000Z",
        "expires_at": null
      }
    ],
    "can_sign": true,
    "can_encrypt_comms": false,
    "can_encrypt_storage": false,
    "can_certify": true,
    "created_at": "2018-07-06T20:34:39.000Z",
    "expires_at": null
  }
]

I'm curious how the raw key format differs from the public key blob (perhaps the binary key, base64 encoded?). Does anyone know how you can take that blob and turn it into a valid GPG key?

If so, we could use that to verify commits for each maintainer. I'm probably overthinking it but thought verification would be simpler to do 😺

Cheers

EDIT: OK, that's definitely a base64-encoded version of the signing key. When I decode that to binary, I can import that into GPG but can't seem to do anything with it (nor with git verify-tag) The fingerprint does match though.

$ base64 -d pubkey.asc > binary.gpg

$ gpg --list-packets binary.gpg
# off=0 ctb=c6 tag=6 hlen=3 plen=525 new-ctb
:public key packet:
	version 4, algo 1, created 1493748930, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: AECE216D007B1CCC


$ gpg --import binary.gpg
gpg: key 007B1CCC: no user ID
gpg: Total number processed: 1

$ gpg --edit-key 007B1CCC
gpg: key "007B1CCC" not found: No public key

$ cd ~/gitea
$ git verify-tag v1.5.0-rc1

gpg: Signature made Tue 03 Jul 2018 03:47:43 PM CDT using RSA key ID 007B1CCC
gpg: Can't check signature: No public key

[techknowlogick]

@4oo4 you can also check out the URL from github here: https://github.com/lafriks.gpg that has an armored file of all lafriks public keys.

[4oo4]

@techknowlogick Ahh, that is so much easier, I wish Github had that better documented. Thanks!

So the reason it's not working for me I'm guessing is from the Github comment on that key:
The keys with the following IDs couldn't be exported and need to be reuploaded AECE216D007B1CCC, 002E9FFD10C56403

[Mikaela]

Request for reopening. I am unable to find the public key linked from https://docs.gitea.io/en-us/install-from-binary/ and SKS keyservers cannot be trusted anymore.

• https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

I think the best would be to have the public key somewhere in the repository itself or documentation.

[Mikaela]

I was able to find this:

pub   rsa4096/0x2D9AE806EC1592E2 2018-06-24 [SC] [expires: 2020-06-23]
      Key fingerprint = 7C9E 6815 2594 6888 62D6  2AF6 2D9A E806 EC15 92E2
uid                   [ unknown] Teabot <teabot@gitea.io>
sub   rsa4096/0x5FC346329753F4B0 2018-06-24 [S] [expires: 2020-06-26]
sub   rsa4096/0x1FBE01D7CBADB9A0 2018-06-24 [E] [expires: 2020-06-23]

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFsvDSkBEADtyFKGhQ/sh9KmVAzivJfMGbasytWkZNdIrwCoxSTEijl2QLyi
E8b5xEOK2+9b3OXF+Nbm+tdfVCaKfoDhXdglxvENSdXA0mKxt4RhKxXAkWHrLfeA
A4RbUj0ndfpJWpoRoEPZTP2a8UXOctUVQP+JzC+D028nawzpSVrXN7UYkszJ5j06
oR6+ZMjpEMbPRnOWRuaJONPvBuTHGDSsD3UPJlWyeUv7+GmcVJzjc8uq1HeX/5Ap
NTrESldIDPgcxfTWhscj1+s8gvW5SqcNQnWSIUtI+Bi2sW9ibj9XlkFJMU7QFV+S
1uF9D8lynZCSDIjnsqSuX3TMgr2CPk7+0eLNFAVrrTUbGwcoyge3d8osJD5PS3z6
COwDlzAXRJECScRo1ynxCxJTLVf6JoGQEFzVc5HSlM8Lx1zm/Al+AYdhdToCQNDF
vLLuHkMqh3OLG3yxS142BUHDrd0KaiY+sxoUQjVjo7PHpLZRJKGZCxSS6vPr9I+o
OTDO2h7rWdTtodmkSz9+NnUD1cGYWwL8j4Cpi4yozg+8Gbtywnm/q0TPMYhyiBbn
hU+sowfmo1RPn2aQnxSS55L7cMTNzP95cU4FQDNzYhget9X5UJJPWdSRcknykMcQ
oAo0IfswMDC7LWf8uObZo/0DQeGBVBx2y/+Ir9dt5MhcrmO/U+fCF+O2xwARAQAB
tBhUZWFib3QgPHRlYWJvdEBnaXRlYS5pbz6JAlQEEwEIAD4WIQR8nmgVJZRoiGLW
KvYtmugG7BWS4gUCWy8NKQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIX
gAAKCRAtmugG7BWS4sOOD/9DKZIjnJJQ5k98hiT81aLWpy6c88MS0RQAgZXnDaOU
X2ZcJ+JZ1buGQH3Ch3QoEALR7TKhI8+VHujy7gwnSMUlZStVrHoAik/485d+k08N
N+Z5aNWoYK6lcd11OFi6uPy8DgEn2WUHFfQUesB/FhOnG8W7DQz4HiMoMFMAKEEe
eA9O2bcLW7ukF1OUVwYBoWQGqdEufW7hiE7WOAeoYYzEJHAZGnxQ3bJK4GYx/Rha
r0tanIYFhX58StENWU9alw4ECUdmQC3+F+bu81kjnD0TDQP9qwPjodo8jZ5MQJDK
cAOjk4smgNMaN5bqbNb8fwmBgkLqwaQB7SiE1WlceTxqB6STdUBASaxXXAvMYlXd
ualGDEm4wFUVyPRBUj8uSWQZbGHhZ0NEMFpyEAkQEHtAyPaGZJOwQLqbQnTEV6Ph
jvOXOsOpzG7ijompBOnY8l7LelZXtKQjk/NRfBvgxfHKw5d1ShOiD5quTdF19JUW
Ay+15DVGqjtIhAP4LX1gGLUlFoh8HJ81uQunxzEWvLBtEdQpbjzmm4QLNqUJ2hQM
Bg0chUWHH5iq6PduuyPHosnatc/MvLZdwVz2FrL2YGbixeWoYDY2AfV0UGVjF1W6
K2oosELAh3jMxv9lGrP4nT0HwNU1NAgx5/fy5LXJ0nDewR0BIuZZMZmnS385/Ljb
ZrkCDQRbLw2xARAA2jnRSZFdkcAwygf8BoyG9HurVqFb0t5SRZHEjFIl6wmdvlk1
3KszvyzRJ+8IEL3QQtdwTKZAMYT9HamclvwiiF92/12HwsTK1Ijn/ayAsWmHFhXv
qlEaKtm/39Mj6M4b6wPkl5vy/TYoxj3CDGl8gWQHo/RmYOcDl61Twswt4uonUm4f
O9V8x19mhxbap6CDsh6Eh64SxXRkyXaY1UPrd4V/TslyBsLz5L5sgIVVTvnNitSA
nGhy77CwUiv3DkvoK6lc7/JvH1zf50/v3uequhTABeMuhdD5Vz7Zq6GYOSkDh/gP
CfgBeL0W/vpWSVLyQC0dkC94yxN9R5SHKcae++IFFhSa3CNPiBLhZ/6dl3K1MV4r
J0CY++RbYNHdrmQFA95HpiSfqcOGBZU5YfV+ErlsVqZFqBMP7edZtgT9kKW8NPQd
Ldm4aClzBATnkI0wgAozq2FBacFosuNEUVCWap6vaJ1L0cJeIC7kzOmp3T/W/klE
CfxHenEIoH5XlsIugHMAtdnWzAZv8LnLfCo7FsuUZXD7PhNvavNJUdQ2EaKC/DSy
0++6Il1wKvt26RPaMM0JtEdCO3AMoXVtfqLp0Er4FBUpHV6OtaVhlnqOhHh6O/Al
mX8z90Okc/u+UBtwhgcXFyM3oA9JKEAIthFBi9871frBAbXS8Z9YJESLpQ0AEQEA
AYkEcgQYAQgAJgIbAhYhBHyeaBUllGiIYtYq9i2a6AbsFZLiBQJdFHlbBQkDxp8q
AkDBdCAEGQEIAB0WIQTMZLHbZ6u+7KsktkVfw0Yyl1P0sAUCWy8NsQAKCRBfw0Yy
l1P0sMVTD/9tr7HkTQie+SPOrL/6BJr1/cAhU5Xv58IkMsuBmPO6uqmMar5gvvbe
baafprB7MjK3b2pwTeaHvnSkeRDqMzpEWiy3sBN1S1wedXnEOmGYB8CTyDzgV3Dm
GHbnvCmQv9agtiEgaGqR1xaZCkUQmjhTIVnpATyx14kZgxcLYhKYybI1w7YrZPJc
GEt/ENUZQRNKac2/tu/GqiNnZ0ppCc0l7N9ZOoboqgzBXKGDbYJ97WO8XnGqrHK0
CDUVao2ji+xd6bi9aLXb0sNeRGeOKVqaHYg2NA/KdnPTQj8JnmSaZmpvFJJiLXiB
/zjNWouYPNNRQidGhjHYlHgNz/mCkRBHhOhiPwz2ui15GSl8dUecNMkJaon+9NAm
A2L7N0J5PA1ZB4ywrgc1ZSjxdRxTGGVrM0H+2R4ILA/gEYWRPLwEpOekX4Vlc2ME
ajSA+eGlBVF/Qb5B8+u4Aegwsz1Iy+yYxJ/qxSS2xwDVvI1utifUfF/AXgM5FvW1
+3KmpaMTpr/+KHtUIdkM/DT62J9j+aCTcyXwAFlli2FsbvZBHEoir/EqJdFjxhXX
nZmb85w2/eJTapQQ5lxAzeurRrhurl+Ai+cNSpJC++jAusIJ86mA7iZPyEic2G93
ivcyolhGJnkeUBlTJui6Spk48NcHlNl+H3kwNST+DIIlHK5RxG7n3AkQLZroBuwV
kuKpzRAAk2xrnJQpvCu6ReduXRVX1V27f8/CaaKVll9zYu0ZQry/tmBc6403z6DZ
8UtnzdKBsbmEqa8R/51Hf0P0jQH6Y5QoRg2KTuh6uGbI7aqsnbJU3EY3xLrpv2VM
OLgFkc3VvvpO302pt5sK+h2W74dvnY89pew8uKxYdoWulyl9/pF+dkJQoN94P+7K
u1Xrw+p00V2JfFWP0D3qR7Lch6wIPfEvl5cfKXznluH/XsbKEjOk9C85RUHAWVrR
mbd+I1HFgXL2EBPNsbB3eK0wTIsNBqaNPTwv3GpBiCl0Fbax4wUc6+K8uVp63d3F
j2DlZSPrYJOk5vGrhv+7yZeMTbDH7VBPHRkdoWO/cWQYZlRAULzJLVLq0aN2x0Fb
W/5gDJCEdHxIn93tSV5zN9twvfOtZA8yaGaVC6nP4tweEWk9I4kN6eP6cH573Mj5
3u/cvw19eEZeoHLU+6KsrwW7HTem3uhijnDtPQ/boQNHrDu6TbRGvlvunoEa4+jx
NDg5N020EBdqWFdzoLZxQi4kwrbcavxTP4zKaIjMX4hkgs9Aiwea/AfhBtQHuKAF
O2rYd8ULuSvrP5FAGB/Hjj1NulbVFKNDmRTFIg7iyuQUhod8j1y1wzhYiEraXyVP
T8fUZnXiCxLMyUjJC7+hDOTD3t9mtKBXa8fbJ6Ji55VMcUi1+Z65Ag0EWy8NKQEQ
ANgvR4yfdll+TkRX5lvgWYFnDj7/eeEwidfo8zO7/dbFzNw5FC2DM3T9VDX04eGy
/wjb0+v5I85oObQBJ0yDM1ir/+p0piBCyMBoYfMZyCiYZipX0GLHQykrnK6j4goP
qrlxAB6oUP+Hzb5MKJbsb7LYfGB670wC+9OnylTimTVZs2uBNm+E7HButG/YAbPG
xTGCrKPmjHfR28ijyflayhemXQ46WktGD1Tu4E0yZS7XZM6UQTgcU7nGNE7kTB8p
YAc/oRQaTQktN8AxD8AxlrlZ5ap5bNX8+eLr9Gm4CZjZIS7/6CujVerK2R5AJXzv
tZwLRVP8LVCKG680bLei+/uPhCuiHYvo2B4DLKbTU6ojltXj4Qn7pwhsLiiFAB+P
qeFj8T/puRibOzW7Ay9JQtWMUC1EPybeXKnLTEdNfrg3nIgKLrlZVO4VSoNCIV+M
/1KLYFLTyYEzmUI4L8XC2QAwLQhF81Jg10COjQEOHn1hqdrm99bVU00IcPtkbTxw
4FoeGD6qJkry3bxRfquTEPGCGTYcTDezEoRbukmgdzk6KW0vn/g6rYBUL9KbrdV5
4OV9W7yqPjEyKTKNUbRzzpc6mgIPGXOYpsblhiJQYRHVYJMH264nd7oA77fAAnyn
azw0Hp/e9Z57LNmG2ybjUCaB7+xmCBJAarK2M/J1PEbFABEBAAGJAjwEGAEIACYW
IQR8nmgVJZRoiGLWKvYtmugG7BWS4gUCWy8NKQIbDAUJA8JnAAAKCRAtmugG7BWS
4sKID/9CF5QnNyKsfJoB+CuNNW1GN8JRcd9z9fmwrCtZr0STuP3tgJY96euM4xvU
qbfuI+nLw0fa8yXOEOrrjMGyqzzMyaFiyFyXLEISQN+HMDMbsJHmvfeC0RUERtfA
lVwrjebjDQetHTqJjSf///ZXJ6yfdO1Boz0Jik4U198GK8mVBVJrFtM28KRyiPpq
oZEvCGEx3Gylk18yOtJntOR9H/u0xV34X7mXcrPbaf3D+uYgUPeHcWlI0H7mjl60
RdImesFXGSL40B0MG6vxXRHiH+j+32dvovNQPKPPOcJGxyep2AvQQDsY262FM9JU
IX0Kx2WMsSAAveJ8549ffIRfyLegO3XGv107jCAjdD7KW8LLaKJsBcy9AtdWrjDu
StmJo2yIWoUlg2Vd59//qu0pEUJLm5lZEVXa/bLspPIxedLstlwrasapczMOktb5
d/igt9OIUFUaEjaQUGKpyhHBm9zJD06cJs9MfvqEubuJzSsxkrOK2senPYw/RotV
0zfrtxefv6SKYmSDOy6xY0W2Gtrn3PhOkIdnT4L58e+5mQc1cWqbbbTnVpEc31HX
22kSzqWtWxbTcE3Y4SMOD9LvC7jhn6fNN9VBmSsFO5Mn70o4tqQrAueSJptVAvMw
se4OaBNJn9XzeIwxbLoovDuICSramSXhNM6enfBeDy66tnLnFg==
=haV9
-----END PGP PUBLIC KEY BLOCK-----