Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Better maintenance of PGP_KEYS file

Description

We maintain a PGP_KEYS file in /downloads to allow deployers to verify package signatures made by our developers.

The process by which this file is maintained is a bit ad hoc at present: edit the file yourself, or get someone else to edit it. There's no audit, no history, no way of rolling back to a previous state if you blap someone else's key by accident.

Phil and I have been reviewing our keys amongst other things, so this has been top of mind. I'd like to propose that we improve this situation by moving the PGP_KEYS information into a new repository, then having the public file updated from that repository as a result of a post-receive hook.

I'd further suggest that we do not just move the PGP_KEYS file into the repository and call it good. Instead, I'd propose that the repository contain individual keys as .asc files, named after the developer and the key ID, e.g.:

iay-EA2882BB.asc iay-D7079C77.asc

(Or some other stable convention.)

In the post-commit hook, we'd then build the actual PGP_KEYS file available for download from those files, perhaps with a little blank space added between them. I'd sort the fragments by their original file name for stability. We might also add a header and trailer comment explicitly in the hook, or have another couple of .asc files named such that they fall in the right places in the sort order.

One might have some opinions about whether we can or should trim out some old keys at this point. In general, this isn't a great idea as our current PGP_KEYS file should really contain keys capable of verifying any old package signature that we still expect people to want to verify, which might end up being "all of them". This applies even if the key has since expired (but arguably not if it has been revoked... which is a good reason not to revoke old keys, of course). Either way, I'd suggest not tackling that question here, but just decomposing PGP_KEYS as it stands today. 

 

Environment

None

Activity

Show:

Ian Young March 2, 2021 at 8:29 PM

New system is in place. The infra-pgpkeys repository is accessible to committers only to add their keys. Pushing to the gitolite server regenerates the PGP_KEYS file. I've added a README.md giving instructions and proposed conventions.

The keys in the repository were extracted from the existing PGP_KEYS file, so at the moment the new file is mainly a reordering of the old one. Obviously it's now a lot simpler for us to update it.

Scott Cantor February 26, 2021 at 2:24 PM

I would note that we now have multiple copies of this because we have to embed bootstrap keys in all the plugin packages. It's much like the checkstyle situation I guess. I'm not sure if there are real improvements we can make there, just noting it.

Ian Young February 26, 2021 at 11:42 AM

Very much down in the weeds, but I might prefer the convention to be to use the 64-bit handle instead of the 32-bit one, after the Evil32 attack. Or the whole key fingerprint, I suppose.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Created February 26, 2021 at 11:35 AM
Updated March 3, 2021 at 5:27 PM
Resolved March 2, 2021 at 8:29 PM
Configure