Closed ribose-jeffreylau closed 3 years ago
Ping @ni4 @antonsviridenko for thoughts.
@ronaldtse approach looks good to me. We should also link from releases to this page (or the key file directly).
Thanks @ribose-jeffreylau @ni4 !
Has anyone actually tried to verify these signatures using provided key? :)
$ wget https://www.rnpgp.org/openpgp_keys/BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
$ rnpkeys --import BEDBA05C1E6EE2DFB4BA72E1EC5D520AD90A7262-A845A5BD622556E89D7763B5EB06D1696BEC4C90.asc
[init_file_src() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-common.cpp:426] can't stat '/home/odsk/.rnp/pubring.gpg'
wrong pubring path
pub 255/EdDSA ec5d520ad90a7262 2021-07-07 [C] [EXPIRES 2071-06-25]
bedba05c1e6ee2dfb4ba72e1ec5d520ad90a7262
uid RNPGP Release Signing Key <rnpgp@ribose.com>
sub 255/EdDSA eb06d1696bec4c90 2021-07-09 [S] [EXPIRES 2022-07-09]
a845a5bd622556e89d7763b5eb06d1696bec4c90
$ rnp --verify v0.15.2.zip.asc
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug 9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)
$ rnp --verify v0.15.2.tar.gz.asc
[signed_src_finish() /var/tmp/portage/app-crypt/rnp-9999/work/rnp-9999/src/librepgp/stream-parse.cpp:1024] signer's key not found
NO PUBLIC KEY for signature made Mon Aug 9 13:52:08 2021
using EdDSA key a95b6eef632cb526
Signature verification failure: 0 invalid signature(s), 1 unknown signature(s)
And who controls secret part of this signing key and where is it stored?
@ribose-jeffreylau Looks like you used other subkey for signing, with fingerprint 17a7c9ba17852c422fec2072a95b6eef632cb526
.
I think we need more checks in place... maybe something like a cron job (on GHA) to check the validity of release signatures every day or so.
@antonsviridenko Yes, I tried and they Worked On My Machine (tm), just didn't realize I used a similar-looking but different key :p
The secret key is controlled by Ribose, which includes Ron and me.
@ni4 Thanks! That looks like it!
I've replaced all signatures now...
@ribose-jeffreylau Thanks, now things work as expected!
Fixes #43
Related to https://github.com/rnpgp/rnp/issues/1586