search

swiftlang / swiftly

A Swift toolchain installer and manager, written in Swift.
https://swiftlang.github.io/swiftly/
Apache License 2.0
462 stars 22 forks source link

Swiftly should ignore expired GPG keys #148

Open rayx opened 1 month ago

rayx commented 1 month ago

While I installed swiftly, I saw output like the following:

$ curl -L https://swiftlang.github.io/swiftly/swiftly-install.sh | bash
--[SNIPPED]--
Importing Swift's PGP keys...
gpg: key D441C977412B37AD: public key "Swift Automatic Signing Key #1 <swift-infrastructure@swift.org>" imported
gpg: key 9F597F4D21A56D5F: public key "Swift 2.2 Release Signing Key <swift-infrastructure@swift.org>" imported
gpg: key 63BC1CFE91D306C6: public key "Swift 3.x Release Signing Key <swift-infrastructure@swift.org>" imported
gpg: key EF5430F071E1B235: public key "Swift 4.x Release Signing Key <swift-infrastructure@swift.org>" imported
gpg: key 7638F1FB2B2B08C4: public key "Swift Automatic Signing Key #2 <swift-infrastructure@swift.org>" imported
gpg: key 925CC1CCED3D1561: public key "Swift 5.x Release Signing Key <swift-infrastructure@swift.org>" imported
gpg: key FAF6989E1BC16FEA: public key "Swift Automatic Signing Key #3 <swift-infrastructure@swift.org>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <swift-infrastructure@swift.org>" 1 new signature
gpg: key F167DF1ACF9CE069: public key "Swift Automatic Signing Key #4 <swift-infrastructure@forums.swift.org>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <swift-infrastructure@swift.org>" 1 new signature
gpg: key F167DF1ACF9CE069: "Swift Automatic Signing Key #4 <swift-infrastructure@forums.swift.org>" 1 new signature

Most of the keys are expired:

$ gpg --list-keys
--[SNIPPED]--
pub   rsa4096 2015-11-19 [SC] [expired: 2017-11-18]
      7463A81A4B2EEA1B551FFBCFD441C977412B37AD
uid           [ expired] Swift Automatic Signing Key #1 <swift-infrastructure@swift.org>

pub   rsa4096 2015-11-28 [SC] [expired: 2017-11-27]
      1BE1E29A084CB305F397D62A9F597F4D21A56D5F
uid           [ expired] Swift 2.2 Release Signing Key <swift-infrastructure@swift.org>

pub   rsa4096 2016-05-31 [SC] [expired: 2018-05-31]
      A3BAFD3556A59079C06894BD63BC1CFE91D306C6
uid           [ expired] Swift 3.x Release Signing Key <swift-infrastructure@swift.org>

pub   rsa4096 2017-06-14 [SC] [expired: 2019-06-14]
      5E4DF843FB065D7F7E24FBA2EF5430F071E1B235
uid           [ expired] Swift 4.x Release Signing Key <swift-infrastructure@swift.org>

pub   rsa4096 2017-11-07 [SC] [expired: 2019-11-07]
      8513444E2DA36B7C1659AF4D7638F1FB2B2B08C4
uid           [ expired] Swift Automatic Signing Key #2 <swift-infrastructure@swift.org>

pub   rsa4096 2019-03-22 [SC] [expires: 2025-03-19]
      A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
uid           [ unknown] Swift 5.x Release Signing Key <swift-infrastructure@swift.org>

pub   rsa4096 2019-11-07 [SC] [expired: 2021-11-06]
      8A7495662C3CD4AE18D95637FAF6989E1BC16FEA
uid           [ expired] Swift Automatic Signing Key #3 <swift-infrastructure@swift.org>

pub   rsa4096 2021-11-08 [SC] [expires: 2025-11-09]
      E813C892820A6FA13755B268F167DF1ACF9CE069
uid           [ unknown] Swift Automatic Signing Key #4 <swift-infrastructure@forums.swift.org>

I think expired keys are useless? Also, swiftly doesn't support downloading Swift 2/3/4 releases. And the Automatic Signing Keys 1/2/3 are apparently obsoleted by key 4. So I think swiftly should ignore those expired keys.

adam-fowler commented 1 month ago

The keys come from the swift.org website (https://www.swift.org/keys/all-keys.asc). It might be better that the website stops serving expired keys. You could add an issue there.

There is nothing stopping swiftly installing swift 2/3/4. As long as the tar balls are available on swift.org it should work. I haven't tested swift 2 or 3 though.

rayx commented 1 month ago

Swift website has a page for active GPG keys (https://www.swift.org/keys/active/). I found it by google. Unfortunately that page isn't friendly to script and there seems to be no active-keys.asc file. On the other hand, I suspect all-keys.asc is for archive purpose so it probably should contain expired keys.

When I submitted the issue, I though gpg might have an option to skip expired keys when importing them. I googled a bit today. There seems no out-of-box way to do it. Also, based on some discussions on the net, gpg allows one to verify signature using expired keys.

So, while I think the current behavior is a little bit confusing to me, I don't have strong opinion about it. Feel free to close it if there isn't a simple way or it isn't worth the effort.

0xTim commented 1 month ago

I think opening an issue on Swift.org website to provide a nice parseable way of getting the current keys is something we should be able to implement

rayx commented 1 month ago

I submitted an enhancement #776 in swift.org repo.

adam-fowler commented 1 month ago

We'll still need the 2.x,3.x,4.x release keys, otherwise we won't be able to verify installs of Swift earlier than 5.0