Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't find release gpg key #458

Open
mdbooth opened this issue Mar 4, 2023 · 7 comments
Open

Can't find release gpg key #458

mdbooth opened this issue Mar 4, 2023 · 7 comments
Assignees
@apricote
Labels
pinned

Comments

@mdbooth
Copy link

mdbooth commented Mar 4, 2023

I see checksums.txt has a detached signature in the release artifacts, which is great. However, I can't find the key anywhere to verify it. Is it published somewhere?

> gpg --verify checksums.txt.sig
gpg: assuming signed data in 'checksums.txt'
gpg: Signature made Wed 07 Dec 2022 01:40:32 PM GMT
gpg:                using RSA key 81DF3546AA43EB287D276C87D1F231005DCF1180
gpg:                issuer "github-bot@hetzner-cloud.de"
gpg: Can't check signature: No public key

> gpg --recv-key 81DF3546AA43EB287D276C87D1F231005DCF1180
gpg: keyserver receive failed: No data

Possibly related to #120 and #209.

Could the key be posted somewhere obvious? Apologies if it is and I've just missed it!
@apricote
Copy link
Member

apricote commented Mar 6, 2023

Hey @mdbooth,

you can find the key on keys.openpgp.org:

@apricote apricote self-assigned this Mar 6, 2023
@apricote apricote closed this as completed Mar 6, 2023
@mdbooth
Copy link
Author

mdbooth commented Mar 6, 2023
edited

Thanks! It would be good to see it posted somewhere canonical. Not 100% sure what the best practise is, but maybe:

  • Checked into the repo itself with a docs link ("releases will be signed by docs/hetzner-release-key.asc")
  • Served via https with a valid hetzner cert

@apricote apricote reopened this Mar 6, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Jun 5, 2023

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

@github-actions github-actions bot added the stale label Jun 5, 2023
@mdbooth mdbooth closed this as completed Jun 7, 2023
@apricote apricote reopened this Jun 7, 2023
@apricote apricote removed the stale label Jun 7, 2023
@jooola jooola added the pinned label Jul 10, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 8, 2023

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

@github-actions github-actions bot added the stale label Oct 8, 2023
@jooola jooola removed the stale label Oct 11, 2023
@bheisig
Copy link

bheisig commented Oct 16, 2023

Quick info: GPG can't verify the checksum file anymore. Tested with release 1.38.2:

gpg: BAD signature from "github-bot@hetzner-cloud.de <github-bot@hetzner-cloud.de>" [unknown]

@jooola
Copy link
Member

jooola commented Oct 16, 2023

Quick info: GPG can't verify the checksum file anymore. Tested with release 1.38.2:

gpg: BAD signature from "github-bot@hetzner-cloud.de <github-bot@hetzner-cloud.de>" [unknown]

Should be fixed in 1.38.3

@kranurag7
Copy link
Contributor

@apricote would you and the team be open to a patch that allows signing our artifacts using cosign? I think this way we will avoid having problems with importing GPG keys.
We can extend our existing goreleaser config to enable that.
Ref: https://goreleaser.com/customization/sign/#signing-with-cosign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@apricote apricote

Labels
pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mdbooth @bheisig @apricote @jooola @kranurag7