search

jaegertracing / legacy-client-java

Legacy com.uber.jaeger java client
Apache License 2.0
5 stars 6 forks source link

Signing keys #14

Open yurishkuro opened 6 years ago

yurishkuro commented 6 years ago

The travis file contains this line:

./travis/prepare-signing.sh $encrypted_677f232983c0_key $encrypted_677f232983c0_iv

I believe in the original repo these variables were defined in Travis itself, rather than being provided via encrypted vars in .travis.yaml (added in https://github.com/jaegertracing/jaeger-client-java/pull/201).

@jpkrohling do you remember what was the source of the values? Did you encode your own keys?

This repo doesn't have these variables anywhere so the automated publishing from tag fails.

jpkrohling commented 6 years ago

encrypted_677f232983c0_key comes automatically from Travis. The prepare-signing.sh script, however, takes the key/value as input to decrypt the signing key, used to sign the final artifacts that are uploaded to Nexus (Maven Central).

I expect the encrypted_677f232983c0_key to be repository-dependent, so, the plain text signing-key needs to be encrypted with something like travis encrypt-file signing-key.asc.

It's strange that the repo doesn't have these env vars, but could it be that this repo has no encrypted vars yet? Perhaps this is created on-demand by Travis?

yurishkuro commented 6 years ago

encrypted_677f232983c0_key comes from Travis, but someone did add it there

image

I can do the same, but my question was whether we want to use some personal signing-key.asc or did we use a shared one?

jpkrohling commented 6 years ago

but someone did add it there

Someone, or something? I think travis encrypt does that on the first run.

my question was whether we want to use some personal signing-key.asc or did we use a shared one?

Looks like we are currently using a personal one:

$ gpg --verify jaeger-core-0.27.0.jar.asc jaeger-core-0.27.0.jar
gpg: Signature made Wed 18 Apr 2018 12:45:06 PM CEST using RSA key ID 9A2E1C5E
gpg: Good signature from "Juraci Paixão Kröhling <jpkroehling+jaeger-client-java@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D10 9718 459E C01B 3C13  5D67 8ECC 15DC 9A2E 1C5E

Same for 0.27.0-RC1:

$ gpg --verify jaeger-core-0.27.0-RC1.jar.asc jaeger-core-0.27.0-RC1.jar
gpg: Signature made Wed 11 Apr 2018 03:44:24 PM CEST using RSA key ID 4F9D21F5
gpg: Can't check signature: public key not found
$ gpg --recv-keys 4F9D21F5
gpg: requesting key 4F9D21F5 from hkp server keys.gnupg.net
gpg: key 4F9D21F5: public key "Pavol Loffay <p.loffay@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

That said, it might be worth considering using a single, trusted key. Something like: packaging@jaegertracing.io.