Please publish the list of the official release PGP keys #721
Comments
|
Absolutely, I will add a link. |
|
Sorry for not following up. I'd add a reference to: https://keys.gnupg.net/pks/lookup?op=get&search=0xBB2914C1FA0811C3 You think a link like this in the readme and webpage suffices? |
|
The link above produces NET::ERR_CERT_AUTHORITY_INVALID error (the certificate is not signed by a trusted root CA) |
|
I thought it was my VPN's fault but GNPGP seems to use an invalid certificat. A bit lame to offer an HTTP reference. Is http://pgpkeys.mit.edu/ a good hosting server? Or do you think I should add the public certificat to GitHub? |
|
Do you think you can serve KEYS file from https://bytebuddy.net/ ? A link from the project page to a file (raw contents rather than HTML frame) hosted by GitHub would also work. On top of that, it would provide a transparent way to list multiple signing keys (e.g. if you want to rotate the keys and/or if you want to add a co-maintainer) |
|
Unfortunately SKS keyservers such as keys.gnupg.org and mit.edu have been having a bad time recently. I'd suggest https://keys.openpgp.org/ that's very fast and verifying (it'll check if you have access to your e-mail account). It doesn't serve unverified keys though. Hosting it on https://bytebuddy.net/ is also a good idea as it's secure and one canonical place. (if you had an If I may add one more thing it would be good to rotate the key as DSA 1024 are "considered unsecure for a while now". (I'd recommend RSA 4096). Have a nice evening! 👋 |
|
Thanks, I rotated my key and will sign all future released with it: https://keys.openpgp.org/search?q=B4AC8CDC141AF0AE468D16921DA784CCB5C46DD5 Starting then, I will also publish the key on the webpage and on GitHub. |
|
I added links to the keys on both the webpage and on GitHub and signed the latest version with a stronger certificate. |
The idea is project page should provide clear steps to verify if the release is official.
I'm afraid I've no standard way of doing that, however it would be nice if you could mention the official PGP key ids in the Download section at https://bytebuddy.net
See also spring-projects/spring-framework#23434 (comment)
See also https://gitlab.ow2.org/asm/asm/issues/317884
Sample implementation for Apache JMeter: https://jmeter.apache.org/download_jmeter.cgi As you see, it refers KEYS file and links to the page with gpg commands to verify the signatures.
PS. I don't really expect that everybody would start verifying their downloads, however making the official key ID publicly available would help for automated verifications as well.
The text was updated successfully, but these errors were encountered: