Documentation: Where is the release signing key?

[jmroot]

The usual key servers don't appear to have the key used to sign highway releases:

% gpg --verify /path/to/highway-1.2.0.tar.gz.asc /path/to/highway-1.2.0.tar.gz
gpg: Signature made Sat  1 Jun 04:28:21 2024 AEST
gpg:                using RSA key 14D827B22124EB2FE748C3B6EE0F9065BCB8B678
gpg: requesting key EE0F9065BCB8B678 from hkp://keys.gnupg.net
gpg: Can't check signature: No public key

I also couldn't find anything in the documentation about where to obtain the key. Could that please be added?

[jan-wassenberg]

Hi @jmroot , thanks for pointing that out. We lost the previous key when my workstation was re-imaged. I've uploaded the new one to hkps://keys.openpgp.org.

[jmroot]

@jan-wassenberg Thanks. It would also be good to either list the key fingerprint in the docs, or include a link like https://keys.openpgp.org/vks/v1/by-fingerprint/14D827B22124EB2FE748C3B6EE0F9065BCB8B678.

[kmilos]

Unfortunately the new key is still not available on other servers, like pgp.mit.edu or keyserver.ubuntu.com (GnuPG default):

$ gpg --recv-keys EE0F9065BCB8B678
gpg: keyserver receive failed: No data

Please upload there as well as keys.openpgp.org does not synchronize. @jan-wassenberg

[lazka]

Unfortunately the new key is still not available on other servers, like pgp.mit.edu or keyserver.ubuntu.com (GnuPG default):

I've uploaded it to both now (everyone can)

[jan-wassenberg]

Thank you :) Would you like to send a pull request to update https://github.com/google/highway/blob/master/g3doc/release_testing_process.md for the desired process? Maybe also add the link jmroot posted above?

[kmilos]

@jan-wassenberg Still getting

$ gpg --verify highway-1.2.0.tar.gz.asc highway-1.2.0.tar.gz
gpg: Signature made Fri May 31 20:28:21 2024 CEST
gpg:                using RSA key 14D827B22124EB2FE748C3B6EE0F9065BCB8B678
gpg: BAD signature from "Jan Wassenberg <janwas@google.com>" [unknown]