Closed richmills3 closed 2 weeks ago
The git tag for v0.5.1 doesn't appear to be verified.
What observation makes you arrive at this conclusion?
The git tag for v0.5.1 doesn't appear to be verified.
What observation makes you arrive at this conclusion?
Tags - v0.5.1 Doesn't have the Verified label.
The recent tags, including 0.5.1, appear to be all signed with the same key. This is probably just a Github bug.
Okay, indeed. I think this is just an issue with GitHub's web interface. Try verifying the tag on the command line:
> gpg --recv-keys "133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320" # see https://github.com/bitcoin-core/secp256k1/blob/master/SECURITY.md
> git tag -v v0.5.1
object 642c885b6102725e25623738529895a95addc4f4
type commit
tag v0.5.1
tagger Pieter Wuille <pieter@wuille.net> 1722540592 -0400
libsecp256k1 0.5.1
[...]
gpg: Signature made 2024-08-01T21:29:52 CEST
gpg: using RSA key 2840EAABF4BC9F0FFD716AFAFBAFCC46DE2D3FE2
gpg: Good signature from "Pieter Wuille <pieter@wuille.net>" [full]
gpg: aka "Pieter Wuille <pieter.wuille@gmail.com>" [full]
[...]
I guess the reason is that GitHub doesn't know the most recent revision of @sipa's public key. Perhaps @sipa can re-upload the key to his GitHub profile.
For the same reason, GitHub displays some signatures, e.g., the one by @jonasnick on the release commit https://github.com/bitcoin-core/secp256k1/commit/642c885b6102725e25623738529895a95addc4f4 (not release tag) as "Verified" but shows "This commit was signed with the committer’s verified signature. The key has expired." (emphasis mine). This is just because GitHub doesn't know @jonasnick's most recent public key, and it can also be fixed by updating the public key in the GitHub profile. (I had this "issue" before and also happen to have it again after I extended my key recently.)
edit: I've just re-uploaded my key.
Thanks - resolving.
Thanks for digging into that, @real-or-random. I've uploaded an updated GPG key to GitHub, and now the tag does show as "Verified".
As per the title - The git tag for v0.5.1 doesn't appear to be verified.