Open jsha opened 4 years ago
For the record the public key is available at https://www.google.com/linuxrepositories/
/cc @dmitshur @cnoellekb @andybons
The public key is not at https://www.google.com/linuxrepositories/ as noted above; the fingerprint on current signatures is
gpg: using RSA key 78BD65473CB3BD13
which is none of the keys contained at that link.
This is perhaps off-issue. But just to confirm the current Google Linux package signing keys do correctly validate the Go releases now, in contrast with @tvierling's previous report :heavy_check_mark:
$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg: using RSA key 78BD65473CB3BD13
gpg: Can't check signature: No public key
$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg: using RSA key 4EB27DB2A3B88B8B
gpg: Can't check signature: No public key
$ gpg --import linux_signing_key.pub
gpg: key A040830F7FAC5991: public key "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>" imported
gpg: key 7721F63BD38B4796: 1 signature not checked due to a missing key
gpg: key 7721F63BD38B4796: public key "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" imported
gpg: Total number processed: 2
gpg: imported: 2
…
$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg: using RSA key 78BD65473CB3BD13
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
Subkey fingerprint: 2F52 8D36 D67B 69ED F998 D857 78BD 6547 3CB3 BD13
$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg: using RSA key 4EB27DB2A3B88B8B
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
Subkey fingerprint: 8461 EFA0 E74A BAE0 10DE 6699 4EB2 7DB2 A3B8 8B8B
Presumably the keys changed sometime in the past few months due to a (then-forthcoming) expiry date in July 2022:
$ gpg linux_signing_key.pub
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024 2007-03-08 [SC]
4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2016-04-12 [S] [expired: 2019-04-12]
sub rsa4096 2017-01-24 [S] [expired: 2020-01-24]
sub rsa4096 2019-07-22 [S] [expired: 2022-07-21]
sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]
On https://golang.org/dl/, there are links to each Go release, along with SHA256 checksums. However, the security of those checksums is only ensured by HTTPS. I learned recently that there are also PGP signatures for each release. So to go along with:
https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz
There is also:
https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz.asc
It would be great to document that fact on https://golang.org/dl/, along with instructions on how to validate the signature.