breedx-splk
commented
1 year ago @trask pointed out a good resource here: https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key
I assume we'd want to standardize across otel.
Open breedx-splk opened 1 year ago
breedx-splk
commented
1 year ago @trask pointed out a good resource here: https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key
I assume we'd want to standardize across otel.
breedx-splk
commented
1 year ago I have confirmed that the java key is published to the ubuntu keystore:
root@0800e2acf2f3:/# gpg --keyserver keyserver.ubuntu.com --recv-keys A60FF5F0
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 17A27CE7A60FF5F0: public key "OpenTelemetry Java" imported
gpg: Total number processed: 1
gpg: imported: 1I'm not sure how a user would find our key ID in the first place though. 🙃
jpkrohling
commented
1 year ago Where would you have looked for it first: here in this repository, or in the Java repository?
breedx-splk
commented
1 year ago Where would you have looked for it first: here in this repository, or in the Java repository?
Take my answer with a grain of salt because I'm heavily biased due to my involvement in otel java, but I would have looked in the java repo first.
jpkrohling
commented
1 year ago That would also have been my guess. I'm not sure this repo here should host any artifact at all, to be honest.
breedx-splk
commented
1 year ago That would also have been my guess. I'm not sure this repo here should host any artifact at all, to be honest.
That's fair. I had mostly opened this looking for some guidance. If that guidance is just to have the pubkey as a file checked into the relevant repos, I'm cool with that. If there's some broader effort around signing (#10?) I'd just like to make sure that java is doing things consistently. If there were a place on the website to consolidate pubkeys, I can offer to contribute the java one.
jpkrohling
commented
1 year ago The SIG security is still relatively new, and we are happy to hear best practices adopted elsewhere as well as other suggestions.
@codeboten, wasn't there a similar question some days ago?
oly-baby
commented
11 months ago @jpkrohling
please can i work on this
jpkrohling
commented
11 months ago Yes, but I believe the SIG Security needs to decide first what's the appropriate action here. Once we determine that, you can implement it.
oly-baby
commented
11 months ago Alright, i will love to be informed of the decision
jpkrohling
commented
3 months ago
Related to #10.
The java repos (opentelemetry-java, opentelemetry-java-instrumentation, opentelemetry-java-contrib, opentelemetry-android, semantic-conventions-java, https://github.com/open-telemetry/opentelemetry-proto-java) publish artifacts to sonatype for inclusion in maven central. You can see some examples of these
.ascsignatures here. Sonatype requires artifacts to be signed, and the java projects do this signing at build time using github secrets in github actions.For these signatures to be publicly verified by otel users, we need to publish our public key someplace findable. Is there some existing location for these pubkeys?
Ideally we would also create a verifiable web of trust, but we can defer that for a separate issue.