jsoncpp Signing releases

Could you attach gpg signatures to your releases?

e.g. using

gpg --armor --detach-sign 1.3.0.tar.gz

The resulting file 1.3.0.tar.gz.asc can then easily be added to the release via the file upload to attach "binaries" provided by github.

Jan 27 '15 20:01 cinemast

How can I help you with that?

Jan 28 '15 01:01 cinemast

I need help from other team members. I expect it to take a couple months for us to change our methodology. The code reversions have priority. Is this a blocker?

Jan 28 '15 16:01 cdunn2001

No not at all, just something that is common in debian packaging now.

Jan 28 '15 16:01 cinemast

0.8.0 is signed. Please let me know if that works before I sign other releases. I uploaded the pgp public key 1E069516 to keys.gnupg.net.

Feb 11 '15 17:02 cdunn2001

gpg --verify jsoncpp-0.8.0.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.8.0.tar.gz'
gpg: Signature made Wed 11 Feb 2015 06:49:44 PM CET using RSA key ID 1E069516
gpg: Good signature from "Christopher Dunn <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FA3 3EE4 5C47 551D 6342  91E8 BE47 603D 1E06 9516

Looks Good!

Feb 12 '15 12:02 cinemast

Thanks, Peter.

Feb 12 '15 14:02 cdunn2001

Hi!

Your current release 0.10.2 does not verify against the signature. Could you take a look at that?

Apr 17 '15 16:04 cinemast

Bad news. I had my laptop stolen. The keys were password-protected, so no worries. But I might have to create a new signing key. Hopefully I'll have time this weekend.

Apr 17 '15 18:04 cdunn2001

I just signed with a new signing key. Try it again.

Apr 22 '15 19:04 cdunn2001

No. Still bad signature:

 gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon 27 Apr 2015 06:52:06 AM CEST using RSA key ID 2948AE83
gpg: BAD signature from "Christopher Dunn <[email protected]>"

Jun 27 '15 14:06 cinemast

That was signed with an older key. It should work now.

Jun 29 '15 05:06 cdunn2001

It still doesn't work. How do you create the signature? It was already working in the past.

Jun 30 '15 17:06 cinemast

$> gpg --recv-keys 3FFC2B3B
gpg: requesting key 3FFC2B3B from hkp server pgp.mit.edu
gpg: key 3FFC2B3B: public key "Christopher Dunn <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$> gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon 29 Jun 2015 07:35:08 AM CEST using RSA key ID 3FFC2B3B
gpg: BAD signature from "Christopher Dunn <[email protected]>"

$> cat jsoncpp-0.10.2.tar.gz.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJVkNkMAAoJEHxz/rs//Cs7pOAH/1SYlJkt1iADcDD0EHsie80v
StHjptz5Ebq7le3uTTHiAFAx/5/jFQb1FfA3eBMR4RjNi4sKNtoSYz26/Hz/X3tZ
dOt+uzQn5gLnDA9jRviItWg3yGj+U6iyOgxHN6ZL9wreHg//eeORz8LYf9cgXEOd
8UOKM5gPK7KYcXwv8H6Q5weMvqtsmR8xnqOOChgoQgD+ChhS9p1Oh1rQojWg+Pia
FvvgRh0HwC/0PM6BJY03UBCZnDJWKc1zXwS7dLlhJ53L3B92wbiQNT5TGGiAhKHL
ck/AtpYATiO2QX3HOQtphKTZnb3HGxQg0mh1RMcqYI5X60pnYSqGwCQ0wylpnCE=
=PYDo
-----END PGP SIGNATURE-----

Jun 30 '15 17:06 cinemast

$ gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon Jun 29 00:35:08 2015 CDT using RSA key ID 3FFC2B3B
gpg: Good signature from "Christopher Dunn <[email protected]>"
$ cat jsoncpp-0.10.2.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJVkNkMAAoJEHxz/rs//Cs7pOAH/1SYlJkt1iADcDD0EHsie80v
StHjptz5Ebq7le3uTTHiAFAx/5/jFQb1FfA3eBMR4RjNi4sKNtoSYz26/Hz/X3tZ
dOt+uzQn5gLnDA9jRviItWg3yGj+U6iyOgxHN6ZL9wreHg//eeORz8LYf9cgXEOd
8UOKM5gPK7KYcXwv8H6Q5weMvqtsmR8xnqOOChgoQgD+ChhS9p1Oh1rQojWg+Pia
FvvgRh0HwC/0PM6BJY03UBCZnDJWKc1zXwS7dLlhJ53L3B92wbiQNT5TGGiAhKHL
ck/AtpYATiO2QX3HOQtphKTZnb3HGxQg0mh1RMcqYI5X60pnYSqGwCQ0wylpnCE=
=PYDo
-----END PGP SIGNATURE-----
$ md5 jsoncpp-0.10.2.tar.gz
MD5 (jsoncpp-0.10.2.tar.gz) = c7cbf26153ee6d0c3f4d380c2c51f679

Maybe you need to re-download the tarball?

Jul 01 '15 08:07 cdunn2001

Try this one:

https://github.com/open-source-parsers/jsoncpp/releases/tag/0.10.4

I think I had changed the tag for yours, because I lost the old signing key. But the latest should be signed properly.

Jul 12 '15 20:07 cdunn2001

Sorry, its still not working. Please ask also someone else to verify. I still get bad signatures for 0.10.4

I don't know whats wrong here. If someone else also has trouble, maybe it is something on your side. How exactly do you sign your releases?

Jul 16 '15 14:07 cinemast

I haven't changed the procedure since when it was working. All that changed is the signing key, which I have published.

make -f dev.makefile sign

Please ask also someone else to verify.

Ok.

Jul 17 '15 11:07 cdunn2001

https://github.com/open-source-parsers/jsoncpp/releases/tag/0.10.5

Could you try the signature one more time? I just explicitly copy/pasted my public key armor to the MIT server.

I'll try to get someone else to verify over the weekend.

Jul 23 '15 05:07 cdunn2001

I'm thinking to switch to GitHub's new "Signature Verification". Any objection?

May 07 '16 00:05 cdunn2001

Well its not the same as signing tarballs, but better than having nothing. I will give it a deeper look but anyway it is your decision.

May 09 '16 09:05 cinemast

I have added a GPG key to my account to enable commits to be Signature Verified. Other than adding this to a CONTRIBUTING.md, is there any further action? Should we also be signing tarballs? I'd love to satisfactorily close this issue.

Jun 24 '19 20:06 baylesj

Signing tarballs would be great.

Jun 25 '19 09:06 cinemast

I would be open to signing tarballs moving forward but we would need to distribute the private key to more contributors or have @cdunn2001 run all releases moving forward.

Sep 12 '24 00:09 baylesj