cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon fastly

Release 3.0.0 not signed with GPG key

Open lmartinez-mirror opened this issue 3 years ago • 2 comments

Hi, I package fastly for the AUR. I was trying to update to the latest 3.0.0 release, however I noticed that it wasn't signed using the usual GPG key. Arch packaging guidelines say if upstream provides a GPG key to verify sources against, that we must use said key; I also cannot skip over GPG verification in cases like this.

Could you please re-sign the latest release? I would also appreciate if upstream signed all future stable releases. Thanks!

lmartinez-mirror avatar May 31 '22 01:05 lmartinez-mirror

Hi @lmartinez-mirror

Thanks for opening this issue.

We automatically publish the Fastly CLI to the AUR (via GitHub Actions) when there is a new release published: https://aur.archlinux.org/packages/fastly-bin

I don't recall there being a GPG key required for publishing to the AUR, only an SSH key. @mccurdyc you're more familiar with the Arch eco-system, so maybe you can speak to this.

Thanks.

Integralist avatar May 31 '22 08:05 Integralist

From Arch package guidelines, sources section:

Sources should be verified using PGP signatures wherever possible (this might entail building from a git tag instead of a source tarball, if upstream signs commits and tags but not the tarballs). ... Do not diminish the security or validity of a package (e.g. by removing a checksum check or by removing PGP signature verification), because an upstream release is broken or suddenly lacks a certain feature (e.g. PGP signature missing for a new release). ... Packages submitted to the AUR must additionally comply with AUR submission guidelines.

Please let me know if you need anything else, thank you for your time!

lmartinez-mirror avatar Jun 01 '22 02:06 lmartinez-mirror

@lmartinez-mirror sorry that I'm just seeing this!

As @Integralist has mentioned, we haven't made any changes to our release process in version 3.0.0.

I confirmed that if I removed and re-installed the fastly-bin package, I didn't run into errors.

But, I see what @lmartinez-mirror is experiencing. It's related to our git tags not being GPG signed after version 2.0.0 - https://github.com/fastly/cli/releases?page=2

22 09 21-08 49 51-snippet

mccurdyc avatar Sep 21 '22 12:09 mccurdyc

Ah I see. Thanks @mccurdyc

I'm going to have a 4.0.0 CLI release coming out in a few weeks so I'll be sure to sign the tags when I do so.

Integralist avatar Sep 21 '22 13:09 Integralist