search

rnpgp / rnpgp.github.io

Official RNP site
https://www.rnpgp.com
1 stars 3 forks source link

doc: Display current pgp key used for signing RNP #44

Closed ribose-jeffreylau closed 3 years ago

ribose-jeffreylau commented 3 years ago

Fixes #43

Related to https://github.com/rnpgp/rnp/issues/1586

ronaldtse commented 3 years ago

Ping @ni4 @antonsviridenko for thoughts.

ni4 commented 3 years ago

@ronaldtse approach looks good to me. We should also link from releases to this page (or the key file directly).

ronaldtse commented 3 years ago

Thanks @ribose-jeffreylau @ni4 !

antonsviridenko commented 3 years ago

Has anyone actually tried to verify these signatures using provided key? :)

antonsviridenko commented 3 years ago 
$ wget https://www.rnpgp.org/openpgp_keys/BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
$ rnpkeys --import BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
[init_file_src() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-common.cpp:426] can't stat '/home/odsk/.rnp/pubring.gpg'
wrong pubring path

pub   255/EdDSA ec5d520ad90a7262 2021-07-07 [C] [EXPIRES 2071-06-25]
      bedba05c1e6ee2dfb4ba72e1ec5d520ad90a7262
uid           RNPGP Release Signing Key <rnpgp@ribose.com>
sub   255/EdDSA eb06d1696bec4c90 2021-07-09 [S] [EXPIRES 2022-07-09]
      a845a5bd622556e89d7763b5eb06d1696bec4c90

$ rnp --verify v0.15.2.zip.asc 
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug  9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)

$ rnp --verify v0.15.2.tar.gz.asc 
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug  9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)
antonsviridenko commented 3 years ago

And who controls secret part of this signing key and where is it stored?

ni4 commented 3 years ago

@ribose-jeffreylau Looks like you used other subkey for signing, with fingerprint 17a7c9ba17852c422fec2072a95b6eef632cb526.

ribose-jeffreylau commented 3 years ago

I think we need more checks in place... maybe something like a cron job (on GHA) to check the validity of release signatures every day or so.

@antonsviridenko Yes, I tried and they Worked On My Machine (tm), just didn't realize I used a similar-looking but different key :p

The secret key is controlled by Ribose, which includes Ron and me.

@ni4 Thanks! That looks like it!

I've replaced all signatures now...

ni4 commented 3 years ago

@ribose-jeffreylau Thanks, now things work as expected!