swiftly icon indicating copy to clipboard operation
swiftly copied to clipboard

Published 20 hours ago verified publisher icon swift-server

Swiftly should ignore expired GPG keys

Open rayx opened this issue 1 year ago • 7 comments

While I installed swiftly, I saw output like the following:

$ curl -L https://swiftlang.github.io/swiftly/swiftly-install.sh | bash
--[SNIPPED]--
Importing Swift's PGP keys...
gpg: key D441C977412B37AD: public key "Swift Automatic Signing Key #1 <[email protected]>" imported
gpg: key 9F597F4D21A56D5F: public key "Swift 2.2 Release Signing Key <[email protected]>" imported
gpg: key 63BC1CFE91D306C6: public key "Swift 3.x Release Signing Key <[email protected]>" imported
gpg: key EF5430F071E1B235: public key "Swift 4.x Release Signing Key <[email protected]>" imported
gpg: key 7638F1FB2B2B08C4: public key "Swift Automatic Signing Key #2 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: public key "Swift 5.x Release Signing Key <[email protected]>" imported
gpg: key FAF6989E1BC16FEA: public key "Swift Automatic Signing Key #3 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <[email protected]>" 1 new signature
gpg: key F167DF1ACF9CE069: public key "Swift Automatic Signing Key #4 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <[email protected]>" 1 new signature
gpg: key F167DF1ACF9CE069: "Swift Automatic Signing Key #4 <[email protected]>" 1 new signature

Most of the keys are expired:

$ gpg --list-keys
--[SNIPPED]--
pub   rsa4096 2015-11-19 [SC] [expired: 2017-11-18]
      7463A81A4B2EEA1B551FFBCFD441C977412B37AD
uid           [ expired] Swift Automatic Signing Key #1 <[email protected]>

pub   rsa4096 2015-11-28 [SC] [expired: 2017-11-27]
      1BE1E29A084CB305F397D62A9F597F4D21A56D5F
uid           [ expired] Swift 2.2 Release Signing Key <[email protected]>

pub   rsa4096 2016-05-31 [SC] [expired: 2018-05-31]
      A3BAFD3556A59079C06894BD63BC1CFE91D306C6
uid           [ expired] Swift 3.x Release Signing Key <[email protected]>

pub   rsa4096 2017-06-14 [SC] [expired: 2019-06-14]
      5E4DF843FB065D7F7E24FBA2EF5430F071E1B235
uid           [ expired] Swift 4.x Release Signing Key <[email protected]>

pub   rsa4096 2017-11-07 [SC] [expired: 2019-11-07]
      8513444E2DA36B7C1659AF4D7638F1FB2B2B08C4
uid           [ expired] Swift Automatic Signing Key #2 <[email protected]>

pub   rsa4096 2019-03-22 [SC] [expires: 2025-03-19]
      A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
uid           [ unknown] Swift 5.x Release Signing Key <[email protected]>

pub   rsa4096 2019-11-07 [SC] [expired: 2021-11-06]
      8A7495662C3CD4AE18D95637FAF6989E1BC16FEA
uid           [ expired] Swift Automatic Signing Key #3 <[email protected]>

pub   rsa4096 2021-11-08 [SC] [expires: 2025-11-09]
      E813C892820A6FA13755B268F167DF1ACF9CE069
uid           [ unknown] Swift Automatic Signing Key #4 <[email protected]>

I think expired keys are useless? Also, swiftly doesn't support downloading Swift 2/3/4 releases. And the Automatic Signing Keys 1/2/3 are apparently obsoleted by key 4. So I think swiftly should ignore those expired keys.

rayx avatar Aug 03 '24 03:08 rayx

The keys come from the swift.org website (https://www.swift.org/keys/all-keys.asc). It might be better that the website stops serving expired keys. You could add an issue there.

There is nothing stopping swiftly installing swift 2/3/4. As long as the tar balls are available on swift.org it should work. I haven't tested swift 2 or 3 though.

adam-fowler avatar Aug 03 '24 07:08 adam-fowler

Swift website has a page for active GPG keys (https://www.swift.org/keys/active/). I found it by google. Unfortunately that page isn't friendly to script and there seems to be no active-keys.asc file. On the other hand, I suspect all-keys.asc is for archive purpose so it probably should contain expired keys.

When I submitted the issue, I though gpg might have an option to skip expired keys when importing them. I googled a bit today. There seems no out-of-box way to do it. Also, based on some discussions on the net, gpg allows one to verify signature using expired keys.

So, while I think the current behavior is a little bit confusing to me, I don't have strong opinion about it. Feel free to close it if there isn't a simple way or it isn't worth the effort.

rayx avatar Aug 04 '24 09:08 rayx

I think opening an issue on Swift.org website to provide a nice parseable way of getting the current keys is something we should be able to implement

0xTim avatar Aug 06 '24 11:08 0xTim

I submitted an enhancement #776 in swift.org repo.

rayx avatar Aug 08 '24 05:08 rayx

We'll still need the 2.x,3.x,4.x release keys, otherwise we won't be able to verify installs of Swift earlier than 5.0

adam-fowler avatar Aug 08 '24 17:08 adam-fowler

Swiftly follows what the swift.org website uses to allow third parties to validate the toolchain contents. If the website changes the mechanism then swiftly will need to adopt the changes and now that swiftly will be provided by swift.org any impact should be rolled out to swiftly whenever such changes are made.

I think that we should close this issue on swiftly itself until the website authentication mechanism is changed.

cmcgee1024 avatar Jan 10 '25 13:01 cmcgee1024

CC @shahmishal, should we have a separate API for pulling down active keys instead of all keys? Or can we mark inactive keys coming from the website so that swiftly can filter them?

etcwilde avatar Jul 10 '25 17:07 etcwilde