Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: Display current pgp key used for signing RNP #44

Merged
merged 1 commit into from
Aug 13, 2021
Merged

doc: Display current pgp key used for signing RNP #44

merged 1 commit into from
Aug 13, 2021

Conversation

ribose-jeffreylau
Copy link
Contributor

Fixes #43

Related to rnpgp/rnp#1586

@ribose-jeffreylau ribose-jeffreylau added enhancement New feature or request ✍️ content Posts & docs labels Aug 13, 2021
@ribose-jeffreylau ribose-jeffreylau self-assigned this Aug 13, 2021
@ronaldtse
Copy link
Contributor

Ping @ni4 @antonsviridenko for thoughts.

@ni4
Copy link
Contributor

ni4 commented Aug 13, 2021

@ronaldtse approach looks good to me. We should also link from releases to this page (or the key file directly).

@ribose-jeffreylau ribose-jeffreylau mentioned this pull request Aug 13, 2021
Closed
ni4
ni4 approved these changes Aug 13, 2021
View reviewed changes
Copy link
Contributor

@ni4 ni4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@ronaldtse ronaldtse merged commit 049ea28 into master Aug 13, 2021
@ronaldtse
Copy link
Contributor

Thanks @ribose-jeffreylau @ni4 !

@ronaldtse ronaldtse deleted the ribose-jeffreylau-43-keys branch August 13, 2021 10:37
@antonsviridenko
Copy link

Has anyone actually tried to verify these signatures using provided key? :)

@antonsviridenko
Copy link 

$ wget https://www.rnpgp.org/openpgp_keys/BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
$ rnpkeys --import BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
[init_file_src() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-common.cpp:426] can't stat '/home/odsk/.rnp/pubring.gpg'
wrong pubring path

pub   255/EdDSA ec5d520ad90a7262 2021-07-07 [C] [EXPIRES 2071-06-25]
      bedba05c1e6ee2dfb4ba72e1ec5d520ad90a7262
uid           RNPGP Release Signing Key <rnpgp@ribose.com>
sub   255/EdDSA eb06d1696bec4c90 2021-07-09 [S] [EXPIRES 2022-07-09]
      a845a5bd622556e89d7763b5eb06d1696bec4c90

$ rnp --verify v0.15.2.zip.asc 
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug  9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)

$ rnp --verify v0.15.2.tar.gz.asc 
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug  9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)

@antonsviridenko
Copy link

And who controls secret part of this signing key and where is it stored?

@ni4
Copy link
Contributor

ni4 commented Aug 14, 2021

@ribose-jeffreylau Looks like you used other subkey for signing, with fingerprint 17a7c9ba17852c422fec2072a95b6eef632cb526.

@ribose-jeffreylau
Copy link
Contributor Author

I think we need more checks in place... maybe something like a cron job (on GHA) to check the validity of release signatures every day or so.

@antonsviridenko Yes, I tried and they Worked On My Machine (tm), just didn't realize I used a similar-looking but different key :p

The secret key is controlled by Ribose, which includes Ron and me.

@ni4 Thanks! That looks like it!

I've replaced all signatures now...

@ribose-jeffreylau ribose-jeffreylau mentioned this pull request Aug 16, 2021
Closed
@ni4
Copy link
Contributor

ni4 commented Aug 16, 2021

@ribose-jeffreylau Thanks, now things work as expected!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ni4 ni4 ni4 approved these changes

@ronaldtse ronaldtse ronaldtse approved these changes

@antonsviridenko antonsviridenko Awaiting requested review from antonsviridenko

Assignees

@ribose-jeffreylau ribose-jeffreylau

Labels
✍️ content Posts & docs enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Publish RNP's public signing key
4 participants
@ribose-jeffreylau @ronaldtse @ni4 @antonsviridenko