Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG keys of maintainers can't be retrieved from https://github.com/ nor https://libuv.org/ #4306

Open
hlein opened this issue Feb 9, 2024 · 0 comments
Open

GPG keys of maintainers can't be retrieved from https://github.com/ nor https://libuv.org/ #4306

hlein opened this issue Feb 9, 2024 · 0 comments

Comments

@hlein
Copy link

hlein commented Feb 9, 2024

...Unless I am just blind.

Releases at e.g. https://dist.libuv.org/dist/v1.48.0/ include a companion .sign file, yay!

https://github.com/libuv/libuv/blob/v1.x/MAINTAINERS.md lists project maintainers, their GitHub usernames, and their PGP key fingerprints (if any). It also describes how pubkeys are stored in the repo as blobs and then taggged.

The problem is, AFAIK there's no way in the github web UI to access those pubkeys. If you clone the repo, you can see the pubkey tags with git tag --list 'pubkey*', view the contents with git show pubkey-vtjnash or similar just fine. But I can't find a way to access them without cloning the repo. Which is a lot of work to go through for someone (or some tooling) that wants to save keys with which to verify tarballs.

The list of users and fingerprints in MAINTAINERS.md can almost be used another way. Because GitHub user account names are specified, one can hit https://github.com/${github_user}.gpg ... but only for users whose keys are known to GitHub. Some of them are not:

$ for user in $(egrep -B1 'GPG key:' MAINTAINERS.md | sed -n -E 's/.*\*\* +\( *\[@([^] ]+)\].*/\1/p') ; do
  echo -n "$user "
  curl -s "https://github.com/${user}.gpg" | egrep -q '^mQ' && echo yes || echo no
done
bnoordhuis no
vtjnash yes
richardlau yes
santigimeno yes
saghul no
trevnorris yes
cjihrig yes
indutny no

[Ugly hack because GitHub always returns "BEGIN PUBLIC KEY BLOCK..." if the user exists, with "Note: This user hasn't uploaded any GPG keys." if there's no key.]

Meanwhile some (a different some) are registered with the https://keys.openpgp.org/ keyservers:

$ for key in $(egrep 'GPG key:' MAINTAINERS.md | sed 's/^ *- GPG key: //; s/ (pubkey.*//; s/ //g') ; do
  echo -n "$key "
  curl -s "https://keys.openpgp.org/vks/v1/by-fingerprint/${key}" | egrep -q 'BEGIN PGP' && echo yes || echo no
done
D77B1E34243FBAF05F8E9CC34F55C8C846AB89B9 yes
AEAD0A4B686767751A0E4AEF34A25FB128246514 yes
CFBB9CA9A5BEAFD70E2B3C5A79A67C55A3679C8B no
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C yes
612F0EAD9401622379DF4402F28C3C8DA33C03BE yes
FDF519364458319FA8233DC9410E5553AE9BC059 yes
AEFC279A0C9306767E5829A1251CA676820DC7F3 no
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 yes
57353E0DBDAAA7E839B66A1AFF47D5E4AD8B4FDC yes
AF2EEA41EC3447BFDD86FED9D7063CCE19B7E890 yes

Is there a plain old export of the relevant PGP public keys somewhere that's easy to fetch, and I'm just missing it? If not, could at least one of GitHub ${user}.gpg or https://keys.openpgp.org/ publication be standardized please?
@hlein hlein changed the title GPG keys of signers can't be retrieved from https://github.com/ nor https://libuv.org/ GPG keys of maintainers can't be retrieved from https://github.com/ nor https://libuv.org/ Feb 9, 2024
@hlein hlein mentioned this issue Feb 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hlein