search

bitcoin-core / secp256k1

Optimized C library for EC operations on curve secp256k1
MIT License
2.06k stars 1k forks source link

Tag v0.5.1 is not verified. #1607

Closed richmills3 closed 2 weeks ago

richmills3 commented 2 weeks ago

As per the title - The git tag for v0.5.1 doesn't appear to be verified.

real-or-random commented 2 weeks ago

The git tag for v0.5.1 doesn't appear to be verified.

What observation makes you arrive at this conclusion?

richmills3 commented 2 weeks ago

The git tag for v0.5.1 doesn't appear to be verified.

What observation makes you arrive at this conclusion?

Tags - v0.5.1 Doesn't have the Verified label.

apoelstra commented 2 weeks ago

The recent tags, including 0.5.1, appear to be all signed with the same key. This is probably just a Github bug.

real-or-random commented 2 weeks ago

Okay, indeed. I think this is just an issue with GitHub's web interface. Try verifying the tag on the command line:

> gpg --recv-keys "133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320" # see https://github.com/bitcoin-core/secp256k1/blob/master/SECURITY.md
> git tag -v v0.5.1
object 642c885b6102725e25623738529895a95addc4f4
type commit
tag v0.5.1
tagger Pieter Wuille <pieter@wuille.net> 1722540592 -0400

libsecp256k1 0.5.1
[...]
gpg: Signature made 2024-08-01T21:29:52 CEST
gpg:                using RSA key 2840EAABF4BC9F0FFD716AFAFBAFCC46DE2D3FE2
gpg: Good signature from "Pieter Wuille <pieter@wuille.net>" [full]
gpg:                 aka "Pieter Wuille <pieter.wuille@gmail.com>" [full]
[...]

I guess the reason is that GitHub doesn't know the most recent revision of @sipa's public key. Perhaps @sipa can re-upload the key to his GitHub profile.

For the same reason, GitHub displays some signatures, e.g., the one by @jonasnick on the release commit https://github.com/bitcoin-core/secp256k1/commit/642c885b6102725e25623738529895a95addc4f4 (not release tag) as "Verified" but shows "This commit was signed with the committer’s verified signature. The key has expired." (emphasis mine). This is just because GitHub doesn't know @jonasnick's most recent public key, and it can also be fixed by updating the public key in the GitHub profile. (I had this "issue" before and also happen to have it again after I extended my key recently.)

edit: I've just re-uploaded my key.

richmills3 commented 2 weeks ago

Thanks - resolving.

sipa commented 2 weeks ago

Thanks for digging into that, @real-or-random. I've uploaded an updated GPG key to GitHub, and now the tag does show as "Verified".