cbeust / jcommander

Command line parsing framework for Java
Apache License 2.0
1.94k stars 332 forks source link

Please document your gpg keys #541

Closed yeikel closed 3 months ago

yeikel commented 2 years ago

We use Dependency Verification and currently there is no documentation stating which keys are safe

Could you please document this?

For example,1.81 was signed using dcba03381ef6c89096acd985ac5ec74981f9cda6

But 1.82 was signed is using a 22E44AC0622B91C3

Here are some examples of other projects documenting what key they use to sign their artifacts.

https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents https://square.github.io/okhttp/security/security/#verifying-artifacts https://downloads.apache.org/logging/KEYS

mkarg commented 4 months ago

Since we release 1.83 with a different signing key, is this issue still and issue?

yeikel commented 4 months ago

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

mkarg commented 4 months ago

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

No it is not. According to https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key it should be found on a keyserver.

yeikel commented 4 months ago

Since we release 1.83 with a different signing key, is this issue still and issue?

Is that expected key documented somewhere in the repo?

No it is not. According to https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key it should be found on a keyserver.

Yes, but there are multiple key servers and there should be a way to link it back to the project. Storing it without any documentation creates the original problem described above.

For example,1.81 was signed using dcba03381ef6c89096acd985ac5ec74981f9cda6

But 1.82 was signed is using a 22E44AC0622B91C3

We should be able to find in the documentation what the expected key is and raise an exception if any new unknown and undocumented key is found with a release as it could be a compromised release

The SECURITY.md file is a good place to document that back in the repository.

For example, see this : https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents

mkarg commented 3 months ago

Please find the GPG Signing Key for validation here: https://github.com/cbeust/jcommander/blob/master/SECURITY.md#gpg-signature-validation. 😃