-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifying signed releases #1125
Comments
I uploaded my key:
FYI How to generate "ascii armor version":
I just grabbed the key id from my ~/.gitconfig file. @joshuagl and @martinezjavier can you please do the same. I also recommend securely archiving revocation certs. I have a few generated for different scenarios:
|
We also should re-write our RELEASE.md to clarify this change. I still want to keep a public key as an object in the git repo. |
@williamcroberts as @diabonas mentioned, I already uploaded my key to a public keyserver (pgp.mit.edu) a long time ago. |
@martinezjavier sorry, senior moment. |
I've uploaded my key: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x49BCAE5443FFFC34 |
haha, no worries. I just mentioned to let you know that's already there. |
Nice, thank you very much @martinezjavier @williamcroberts @joshuagl! The next version of the Arch Linux AUR package for tpm2-tools will have signature verification enabled. |
Releases are currently signed by one of the three following PGP keys as described in RELEASE.md1:
I noticed that only the second of these keys seems to be available on a public keyserver. Would it be possible to add the other two keys to the OpenPGP keyserver pool as well?
This would make it much easier to verify a release automatically, e.g. in the build process of an Arch Linux User Repository (AUR) package, as users can import the keys directly using
gpg --receive-keys <fingerprint>
instead of having to clone the Git repository and manually importing them from the tags.For the sister projects tpm2-tss and tpm2-abrmd, this is already the case, as documented in their RELEASE.md.
1 This document is a bit outdated, as it only lists the
william-roberts-pub
tag, but the other two keys injavier-martinez-pub
andjoshua-lock-pub
can be found easily by looking at the list of all tags.The text was updated successfully, but these errors were encountered: