wyardley
commented
5 years ago Are there any releases for which F4E789204D206F89 is still valid, and if so, is that accessible from anywhere?
Open michaelklishin opened 5 years ago
wyardley
commented
5 years ago Are there any releases for which F4E789204D206F89 is still valid, and if so, is that accessible from anywhere?
michaelklishin
commented
5 years ago @wyardley we've migrated to the new key about 3 years ago (mailing list announcement). 3.5.8 and early 3.6.x releases were all signed with the new key. We re-signed even legacy apt repositories on rabbitmq.com IIRC.
The old key is available from Bintray. I honestly thing we can consider it to be irrelevant.
wyardley
commented
5 years ago @michaelklishin I have to double check - module’s default behavior actually ships 3.3.x (from the vendors’ repos) on certain platforms, tho I guess in that case it will probably be signed with the vendor’s key? I feel like there’s a reason that we have the old key imported in one or two places, but could be wrong.
juniorsysadmin
commented
5 years ago Ideally the public key should be included with this module and not fetched as well.
wyardley
commented
5 years ago @juniorsysadmin I agree that that's probably the most secure way. Do you have time / inclination to throw up a PR to switch it to this pattern?
juniorsysadmin
commented
5 years ago @wyardley I have sadly not much time for this at the moment.
This module downloads signing key from rabbitmq.com. Team RabbitMQ deprecated downloads from rabbitmq.com a couple of years ago (see Signatures). Why? We don't want to be distributing artifacts, there are services that do it better.
The key is available from Bintray and GitHub. Please switch to one of those locations.
The current key isn't going to be removed from rabbitmq.com but when it's time to renew, it may or may not make the cut.