Closed canterberry closed 3 years ago
Each person I've requested to review this PR has a key that has been updated in this changeset. I wasn't able to tag Evan Lucas for review, although there are some changes for Evan as well.
@canterberry, I'm not entirely sure what and how I can verify this - is that the ask here?
I assumed it would be a case of comparing my key in this PR with the ASCII armored output I get locally and from https://keys.openpgp.org/, but they all differ. After that, I tried a comparison with gpg --export --armor <KEY> | gpg --list-packets --verbose
, but they also differ for me. I'm not entirely sure if that is because my key is out of sync somewhere or I'm just comparing/validating the wrong things.
Any guidance would be appreciated, i'm a noob at GPG.
@BethGriggs Thanks for taking a look at this so quickly, and I apologize for not being on top of things yesterday and only just now following up.
Here is what keys.openpgp.org has for your key: https://keys.openpgp.org/vks/v1/by-fingerprint/4ED778F539E3634C779C87C6D7062848A1AB005C
If that does not match what you get from running gpg --export --armor 4ED778F539E3634C779C87C6D7062848A1AB005C
locally, then could you copy/paste the correct public key in a comment on this MR? Then I'll update this MR with that key and you can review to ensure it is correct.
If that link does match what you expect, but isn't what you see in this PR's changeset, then I may have mucked something up and I'll investigate and fix it right away.
I'm thinking that going forward, if this repo is to be the source of truth for release keys, part of the release team onboarding/offboarding process will involve updating this repo, and I'm happy to help put together scripts/processes to assist in that, as well as easy ways to verify changes or automate some of this.
I've done some research on what is and isn't on keys.openpgp.org, and I'm seeing that is not a reliable source of truth for the current set of release team keys. Thus, a better path forward might be to have a script for a release team member to run to update this repo with any key used for signing prior or future Node.js releases (instead of me hunting for them on an unreliable third party keyserver).
Created #8 to provide a self-service option for release team members to add their own signing keys to this repo. cc @BethGriggs Assigned you for review of that one, and if it looks good to you, I think I'll close this PR in favor of having you, Richard, et al run the script to update your own keys with the appropriate values. That would eliminate dependencies on myself or third-party key servers, and establish a transparent, verifiable path for updating this repo.
ping @BethGriggs
Superceded. Closing.
Depends on #5.
In this changeset, I use the following script...
...to pull the latest keys from keys.openpgp.org, as of 2021-06-28.
The resulting output is as follows:
I then committed the resulting changes, omitting gpg/pubring.kbx~, which should probably be added to .gitignore.