Whenever a new release signing key is introduced for Node.js, tools and automation should be able to verify releases signed by those keys by fetching not only the contents of the signing key based on the release's signature (from any source), but by cross-referencing that key's authorization using a trusted source.
Current State
Currently, the contents of this repo are built manually on an ad-hoc basis and reviews are requested by the members of the release signing team involved with any updates.
The script used to produce/update the GPG keyring and the raw keys within the keys directory is as follows:
GNUPGHOME=gpg gpg --keyserver pool.sks-keyservers.net --receive-keys $(xargs < keys.list)
for KEY_ID in $(xargs < keys.list); do
if [ -n "${KEY_ID}" ]; then
GNUPGHOME=gpg gpg --export --armor "${KEY_ID}" > "keys/${KEY_ID}.asc"
fi
done
The script expects keys.list to be up-to-date with the latest keys. This list is derived from nodejs/node:README.md and is currently updated by hand.
The Gap
The process of updating this repo is manual, but should be automated.
The trigger for updating this repo is manual, but should be automated.
Proposed Solution
Close the gap between a change to release signing keys and the introduction of those keys into this repo. Created an automated monitor for changes to https://github.com/nodejs/node/blob/master/README.md involving a release signing key. Ideally, this monitor would alert on the opening of any Pull Request making such a change.
As a follow-up to this monitoring automation, an automated workflow should create a corresponding Pull Request in this repo which makes the necessary changes to ensure this repo is in sync.
Long-Term Plan
The canterberry/nodejs-keys repo is an unofficial source of release signing key information for the Node.js release team. There is a proposal to adopt it under management of the Node.js org and integrate it into existing processes. When that happens, this repo can be retired and this Issue is no longer relevant.
Desired State
Whenever a new release signing key is introduced for Node.js, tools and automation should be able to verify releases signed by those keys by fetching not only the contents of the signing key based on the release's signature (from any source), but by cross-referencing that key's authorization using a trusted source.
Current State
Currently, the contents of this repo are built manually on an ad-hoc basis and reviews are requested by the members of the release signing team involved with any updates.
The script used to produce/update the GPG keyring and the raw keys within the keys directory is as follows:
The script expects keys.list to be up-to-date with the latest keys. This list is derived from nodejs/node:README.md and is currently updated by hand.
The Gap
Proposed Solution
Close the gap between a change to release signing keys and the introduction of those keys into this repo. Created an automated monitor for changes to https://github.com/nodejs/node/blob/master/README.md involving a release signing key. Ideally, this monitor would alert on the opening of any Pull Request making such a change.
As a follow-up to this monitoring automation, an automated workflow should create a corresponding Pull Request in this repo which makes the necessary changes to ensure this repo is in sync.
Long-Term Plan
The canterberry/nodejs-keys repo is an unofficial source of release signing key information for the Node.js release team. There is a proposal to adopt it under management of the Node.js org and integrate it into existing processes. When that happens, this repo can be retired and this Issue is no longer relevant.