poljar
[Arch buildpkg] 0.20.2 PGP chain of trust for release
Hi! I'm currently bumping this package for Arch Linux.
I saw that we are pinning the key 689A3B5BC6560AB4C99A2A0581314DA807EF4E22 by @poljar for release verification.
This seems to be a valid assumption up until 0.20.2, which is signed by D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8 (@PaarthShah).
Unfortunately there is no chain of trust between these two keys (that I could find).
It would be great if 689A3B5BC6560AB4C99A2A0581314DA807EF4E22 could sign the relevant User ID on D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8, so that we can also verify (and use 0.20.2). @PaarthShah please make sure to update your PGP key on relevant keyservers (and here on github) after importing the signature, so that external parties can verify it.
Hi @dvzrv! Thanks for bringing this up; I'd absolutely want to make sure that the chain of trust is set up correctly.
That said, I'd like to confirm some details/make sure that I'm understanding properly:
I saw that we are pinning the key 689A3B5BC6560AB4C99A2A0581314DA807EF4E22 by @poljar for release verification. This seems to be a valid assumption up until 0.20.2, which is signed by 689A3B5BC6560AB4C99A2A0581314DA807EF4E22 (@PaarthShah).
You list the same key, 689A3B5BC6560AB4C99A2A0581314DA807EF4E22, twice :^)
I assume that's @poljar's since it's certainly not mine: D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8.
I will reach out to him and see if he can sign my key, though there's one complicating factor that a PGP purist might take: the two of us have only ever spoken online and have no out-of-band channel through which to verify each others' identities.
To that end, would it be possible/reasonable to add my key to the Arch buildpkg?
I'll need to make sure the latest version of my key is fully up to date on the keyservers either way; I'll update here when that's done
You list the same key
whoops. copy/paste in a haste... I meant D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8 in the 2nd case of course (updated in original post).
To that end, would it be possible/reasonable to add my key to the Arch buildpkg?
Yes, as soon as a relevant User ID on your key has been signed, we can add it! :)
Thanks for looking into this! :)
No worries! I can't guarantee how quickly I'll be able to get it signed, but I'll definitely reach out appropriately.
And thank you again for bringing this up!
Could you please publish the (currently unsigned) public key somewhere accessible meanwhile? I only found it on keys.openpgp.org, but (if i understood it right) the user ids are stripped there for privacy reasons unless you allow the service to share them, so i cannot import it to verify the signature:
❯ gpg --keyserver hkps://keys.openpgp.org --recv-keys D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8
gpg: key 08D39021F6D6A7B8: no user ID
gpg: Total number processed: 1
@timegrid my public key should be accessible at https://github.com/PaarthShah.gpg
Lemme know if that doesn't work and I can post it more directly
I should also note that @poljar has noted that he's lost access to his secret key, so it's unlikely that we'll be able to make a clean handover. I'm happy to help out in whatever way to resolve this issue, though (and I'm very much in possession of my secret key)
I should also note that @poljar has noted that he's lost access to his secret key, so it's unlikely that we'll be able to make a clean handover. I'm happy to help out in whatever way to resolve this issue, though (and I'm very much in possession of my secret key)
To expand on this, I do have access to my signing key, but I don't have access to my main key or a key that could certify other keys.
If it helps, I can also sign the release tag as a poor man's equivalent to signing @PaarthShah's GPG key.
@poljar in that case, how about clear-text signing a token (a block of text) that states the handover to D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8? You could do the same to any new key of yours as well and deposit this token at a prominent place (if you care to do so).
With it, we can still cryptographically verify the chain from your signature to your certification primary key (see https://openpgp.dev/book/signing_components.html#special-case-binding-signing-subkeys).
Not sure if this is exactly what you meant, or if there's some more official procedure specified, but I produced the following text:
I hereby confirm that Paarth Shah [email protected], with the GPG key D0CB3DB01DEF8CA2F4C9C4E308D39021F6D6A7B8 has been added as a maintainer to the https://github.com/matrix-nio/matrix-nio/ project.
The exact file that was signed is attached, as well as the signature.
The signature can be verified as follows:
gpg --verify nio-handover.txt.sig nio-handover.txt
gpg: Signature made Sun 19 May 2024 14:36:27 CEST
gpg: using RSA key E21F1370A524D0DD06FA34E08F6EEDC13811F72F
gpg: Good signature from "Damir Jelić (poljar) <[email protected]>" [ultimate]
gpg: aka "keybase.io/poljar <[email protected]>" [ultimate]
Primary key fingerprint: 689A 3B5B C656 0AB4 C99A 2A05 8131 4DA8 07EF 4E22
Subkey fingerprint: E21F 1370 A524 D0DD 06FA 34E0 8F6E EDC1 3811 F72F
nio-handover.txt.sig.tar.gz nio-handover.txt
As for my own key rotation, the following text was used:
I hereby confirm that I have created a new GPG key. Fingerprint: B9A84A7F1F42C0E9716C94FEF3F7BA993F121F7D.
poljar-key-rotation.txt poljar-key-rotation.txt.sig.tar.gz
gpg --verify poljar-key-rotation.txt.sig poljar-key-rotation.txt
gpg: Signature made Sun 19 May 2024 16:08:46 CEST
gpg: using RSA key E21F1370A524D0DD06FA34E08F6EEDC13811F72F
gpg: Good signature from "Damir Jelić (poljar) <[email protected]>" [ultimate]
gpg: aka "keybase.io/poljar <[email protected]>" [ultimate]
Primary key fingerprint: 689A 3B5B C656 0AB4 C99A 2A05 8131 4DA8 07EF 4E22
Subkey fingerprint: E21F 1370 A524 D0DD 06FA 34E0 8F6E EDC1 3811 F72F
The new key can be found on github as well as on a GPG keyserver. I also signed my old key(689a3b5bc6560ab4c99a2a0581314da807ef4e22) with the new (0xb9a84a7f1f42c0e9716c94fef3f7ba993f121f7d) one in the usual manner.