cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon hetznercloud

Can't find release gpg key

Open mdbooth opened this issue 2 years ago • 7 comments

I see checksums.txt has a detached signature in the release artifacts, which is great. However, I can't find the key anywhere to verify it. Is it published somewhere?

> gpg --verify checksums.txt.sig
gpg: assuming signed data in 'checksums.txt'
gpg: Signature made Wed 07 Dec 2022 01:40:32 PM GMT
gpg:                using RSA key 81DF3546AA43EB287D276C87D1F231005DCF1180
gpg:                issuer "[email protected]"
gpg: Can't check signature: No public key

> gpg --recv-key 81DF3546AA43EB287D276C87D1F231005DCF1180
gpg: keyserver receive failed: No data

Possibly related to https://github.com/hetznercloud/cli/issues/120 and https://github.com/hetznercloud/cli/issues/209.

Could the key be posted somewhere obvious? Apologies if it is and I've just missed it!

mdbooth avatar Mar 04 '23 19:03 mdbooth

Hey @mdbooth,

you can find the key on keys.openpgp.org:

  • https://keys.openpgp.org/search?q=81DF3546AA43EB287D276C87D1F231005DCF1180
  • https://keys.openpgp.org/[email protected]

apricote avatar Mar 06 '23 13:03 apricote

Thanks! It would be good to see it posted somewhere canonical. Not 100% sure what the best practise is, but maybe:

  • Checked into the repo itself with a docs link ("releases will be signed by docs/hetzner-release-key.asc")
  • Served via https with a valid hetzner cert

mdbooth avatar Mar 06 '23 14:03 mdbooth

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

github-actions[bot] avatar Jun 05 '23 12:06 github-actions[bot]

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

github-actions[bot] avatar Oct 08 '23 12:10 github-actions[bot]

Quick info: GPG can't verify the checksum file anymore. Tested with release 1.38.2:

gpg: BAD signature from "[email protected] <[email protected]>" [unknown]

bheisig avatar Oct 16 '23 14:10 bheisig

Quick info: GPG can't verify the checksum file anymore. Tested with release 1.38.2:

gpg: BAD signature from "[email protected] <[email protected]>" [unknown]

Should be fixed in 1.38.3

jooola avatar Oct 16 '23 15:10 jooola

@apricote would you and the team be open to a patch that allows signing our artifacts using cosign? I think this way we will avoid having problems with importing GPG keys. We can extend our existing goreleaser config to enable that. Ref: https://goreleaser.com/customization/sign/#signing-with-cosign

kranurag7 avatar Dec 23 '23 06:12 kranurag7