Where to publish Java signing pubkey?

[breedx-splk]

Related to #10.

The java repos (opentelemetry-java, opentelemetry-java-instrumentation, opentelemetry-java-contrib, opentelemetry-android, semantic-conventions-java, https://github.com/open-telemetry/opentelemetry-proto-java) publish artifacts to sonatype for inclusion in maven central. You can see some examples of these .asc signatures here. Sonatype requires artifacts to be signed, and the java projects do this signing at build time using github secrets in github actions.

For these signatures to be publicly verified by otel users, we need to publish our public key someplace findable. Is there some existing location for these pubkeys?

Ideally we would also create a verifiable web of trust, but we can defer that for a separate issue.

[breedx-splk]

@trask pointed out a good resource here: https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key

I assume we'd want to standardize across otel.

[breedx-splk]

I have confirmed that the java key is published to the ubuntu keystore:

root@0800e2acf2f3:/# gpg --keyserver keyserver.ubuntu.com --recv-keys A60FF5F0
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 17A27CE7A60FF5F0: public key "OpenTelemetry Java" imported
gpg: Total number processed: 1
gpg:               imported: 1

I'm not sure how a user would find our key ID in the first place though. 🙃

[jpkrohling]

Where would you have looked for it first: here in this repository, or in the Java repository?

[breedx-splk]

Where would you have looked for it first: here in this repository, or in the Java repository?

Take my answer with a grain of salt because I'm heavily biased due to my involvement in otel java, but I would have looked in the java repo first.

[jpkrohling]

That would also have been my guess. I'm not sure this repo here should host any artifact at all, to be honest.

[breedx-splk]

That would also have been my guess. I'm not sure this repo here should host any artifact at all, to be honest.

That's fair. I had mostly opened this looking for some guidance. If that guidance is just to have the pubkey as a file checked into the relevant repos, I'm cool with that. If there's some broader effort around signing (#10?) I'd just like to make sure that java is doing things consistently. If there were a place on the website to consolidate pubkeys, I can offer to contribute the java one.

[jpkrohling]

The SIG security is still relatively new, and we are happy to hear best practices adopted elsewhere as well as other suggestions.

@codeboten, wasn't there a similar question some days ago?

[oly-baby]

@jpkrohling

please can i work on this

[jpkrohling]

Yes, but I believe the SIG Security needs to decide first what's the appropriate action here. Once we determine that, you can implement it.

[oly-baby]

Alright, i will love to be informed of the decision