[releasing] PGP keys for code signing

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

[releasing] PGP keys for code signing

Christian Grobmeier
Hi all,

I am sorry for asking dumb, but I am a complete idiot on all that
encryption stuff.
I read this: http://wiki.apache.org/commons/CreatingReleases
and all the links in the section of signature keys. i understand how PGP works.

I have a key created and this has been signed by CACert where I am
fully assured and uploaded it to a keyserver.
Question: is this a suitable key for code signing at apache?

Thanks,
Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Siegfried Goeschl
Hi Christian,

as far as I remember CACert is about X.509 certificates and not PGP
keys. If that assumption is true than this key is not usable for
PGP-signing.

Cheers,

Siegfried Goeschl

Christian Grobmeier wrote:

> Hi all,
>
> I am sorry for asking dumb, but I am a complete idiot on all that
> encryption stuff.
> I read this: http://wiki.apache.org/commons/CreatingReleases
> and all the links in the section of signature keys. i understand how PGP works.
>
> I have a key created and this has been signed by CACert where I am
> fully assured and uploaded it to a keyserver.
> Question: is this a suitable key for code signing at apache?
>
> Thanks,
> Christian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
>
>  

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

sebb-2-2
Why not try creating a signature for an existing Commons release, e.g. IO?

Upload it to your home directory on people, along with the public key,
and some of us can see if it is usable.

S.
On 05/05/2009, Siegfried Goeschl <[hidden email]> wrote:

> Hi Christian,
>
>  as far as I remember CACert is about X.509 certificates and not PGP
>  keys. If that assumption is true than this key is not usable for
>  PGP-signing.
>
>  Cheers,
>
>
>  Siegfried Goeschl
>
>
>  Christian Grobmeier wrote:
>  > Hi all,
>  >
>  > I am sorry for asking dumb, but I am a complete idiot on all that
>  > encryption stuff.
>  > I read this: http://wiki.apache.org/commons/CreatingReleases
>  > and all the links in the section of signature keys. i understand how PGP works.
>  >
>  > I have a key created and this has been signed by CACert where I am
>  > fully assured and uploaded it to a keyserver.
>  > Question: is this a suitable key for code signing at apache?
>  >
>  > Thanks,
>  > Christian
>  >
>  > ---------------------------------------------------------------------
>  > To unsubscribe, e-mail: [hidden email]
>  > For additional commands, e-mail: [hidden email]
>  >
>  >
>  >
>  >
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: [hidden email]
>  For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
In reply to this post by Siegfried Goeschl
Hi,

> as far as I remember CACert is about X.509 certificates and not PGP
> keys. If that assumption is true than this key is not usable for
> PGP-signing.

yes, but if you are assured at CACert they offer signing your PGP too.

Thanks
Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
In reply to this post by sebb-2-2
> Why not try creating a signature for an existing Commons release, e.g. IO?
> Upload it to your home directory on people, along with the public key,
> and some of us can see if it is usable.

That would be great! Thanks!

Here are the urls:
http://people.apache.org/~grobmeier/test/commons-chain-1.2-bin.tar.gz
http://people.apache.org/~grobmeier/test/commons-chain-1.2-bin.tar.gz.asc

Cheers,
Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

papajdo
Not so good.

Here's what I get after downloading the two files:

[CraigRussell:~/Downloads] clr% gpg --verify commons-chain-1.2-
bin.tar.gz.asc
gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID  
42196CA8
gpg: Can't check signature: public key not found
[CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
gpgkeys: key 42196CA8 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I'm no expert but it doesn't appear like the DSA key can be checked by  
gpg like all the Apache releases.

Craig

On May 5, 2009, at 10:42 PM, Christian Grobmeier wrote:

>> Why not try creating a signature for an existing Commons release,  
>> e.g. IO?
>> Upload it to your home directory on people, along with the public  
>> key,
>> and some of us can see if it is usable.
>
> That would be great! Thanks!
>
> Here are the urls:
> http://people.apache.org/~grobmeier/test/commons-chain-1.2-bin.tar.gz
> http://people.apache.org/~grobmeier/test/commons-chain-1.2-bin.tar.gz.asc
>
> Cheers,
> Christian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:[hidden email]
P.S. A good JDO? O, Gasp!


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
> gpg: Can't check signature: public key not found
> [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
> gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
> gpgkeys: key 42196CA8 not found on keyserver

Thanks, i sent it to several keyservers now :-)
Can you try again?

Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

sebb-2-2
On 06/05/2009, Christian Grobmeier <[hidden email]> wrote:
> > gpg: Can't check signature: public key not found
>  > [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
>  > gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
>  > gpgkeys: key 42196CA8 not found on keyserver
>
>
> Thanks, i sent it to several keyservers now :-)
>  Can you try again?

Can you upload the public key?
It will need to be added to KEYS at some point if you are to use it.

>  Christian
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: [hidden email]
>  For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
> Can you upload the public key?

http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub

> It will need to be added to KEYS at some point if you are to use it.

Yes. I didn't understood when a key is beeing considered "trusted" at apache.
Meanwhile I think there is not such a policy. However, key should work
now for most key servers and is now signed by CACert and by another
guy.

If I need more actions... pleae let me know. Otherwise I will commit
it to our keys file in the next days.

Cheers + thanks,
Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

sebb-2-2
On 06/05/2009, Christian Grobmeier <[hidden email]> wrote:
> > Can you upload the public key?
>
>
> http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
>

Thanks, that has allowed me to check the signature. Validates OK.

However I was unable to download the key from a keyserver - maybe
there was a problem with the server I was using.

>  > It will need to be added to KEYS at some point if you are to use it.
>
>
> Yes. I didn't understood when a key is beeing considered "trusted" at apache.

See:

http://www.apache.org/dev/release-signing.html

In theory, all ASF keys should be connected in a web of trust, however
that is not the case.

But at least if your key is in the KEYS file it shows that it was
trusted by the person updating the file, and that person must have had
commit access.

>  Meanwhile I think there is not such a policy. However, key should work
>  now for most key servers and is now signed by CACert and by another
>  guy.
>
>  If I need more actions... pleae let me know. Otherwise I will commit
>  it to our keys file in the next days.
>
>  Cheers + thanks,
>
> Christian
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: [hidden email]
>  For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
>> http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
>
> Thanks, that has allowed me to check the signature. Validates OK.

Cool!

> However I was unable to download the key from a keyserver - maybe
> there was a problem with the server I was using.

Strange... I uploaded it to: pgp.mit.edu and to subkeys.pgp.net
Its available by webinterface from mit, but not from pgg.net.

>>  > It will need to be added to KEYS at some point if you are to use it.
>>
>> Yes. I didn't understood when a key is beeing considered "trusted" at apache.
>
> See:  http://www.apache.org/dev/release-signing.html
> In theory, all ASF keys should be connected in a web of trust, however
> that is not the case.

OK. Thats the point which confused me.

> But at least if your key is in the KEYS file it shows that it was
> trusted by the person updating the file, and that person must have had
> commit access.

OK, I will add my key to the KEYS file then and go ahead :-)
Thanks for your help!

Christian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

papajdo
In reply to this post by Christian Grobmeier
Much better!

[CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
gpg: key 42196CA8: public key "Christian Grobmeier (Apache  
Codesigning) <[hidden email]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:  74  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  74  signed:  26  trust: 17-, 26q, 0n, 0m, 31f, 0u
gpg: depth: 2  valid:  19  signed:   7  trust: 7-, 10q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2009-05-09
gpg: Total number processed: 1
gpg:               imported: 1
[CraigRussell:~/Downloads] clr% gpg --verify commons-chain-1.2-
bin.tar.gz.asc
gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID  
42196CA8
gpg: Good signature from "Christian Grobmeier (Apache Codesigning) <[hidden email]
 >"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the  
owner.
Primary key fingerprint: 9D23 5338 96A9 7847 0358  5B62 86E0 2C5A 4219  
6CA8

I'd vote for this signature being valid to sign releases. Only  
incubator releases right now, since it hasn't been signed by the  
Apache WOT. That can be fixed at a Sign-a-Thon. ;-)

Craig

On May 5, 2009, at 11:35 PM, Christian Grobmeier wrote:

>> gpg: Can't check signature: public key not found
>> [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
>> gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
>> gpgkeys: key 42196CA8 not found on keyserver
>
> Thanks, i sent it to several keyservers now :-)
> Can you try again?
>
> Christian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:[hidden email]
P.S. A good JDO? O, Gasp!


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Rahul Akolkar
On Wed, May 6, 2009 at 10:43 AM, Craig L Russell <[hidden email]> wrote:
> Much better!
>
<snip/>

> [CraigRussell:~/Downloads] clr% gpg --verify
> commons-chain-1.2-bin.tar.gz.asc
> gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID 42196CA8
> gpg: Good signature from "Christian Grobmeier (Apache Codesigning)
> <[hidden email]>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 9D23 5338 96A9 7847 0358  5B62 86E0 2C5A 4219 6CA8
>
> I'd vote for this signature being valid to sign releases. Only incubator
> releases right now, since it hasn't been signed by the Apache WOT. That can
> be fixed at a Sign-a-Thon. ;-)
>
<snap/>

I'd vote for Apache Commons releases signed by any key thats in the
KEYS file (regardless of WOT status -- keysigning would be good and is
encouraged, but isn't a blocker).

-Rahul


> Craig
>
> On May 5, 2009, at 11:35 PM, Christian Grobmeier wrote:
>
>>> gpg: Can't check signature: public key not found
>>> [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
>>> gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
>>> gpgkeys: key 42196CA8 not found on keyserver
>>
>> Thanks, i sent it to several keyservers now :-)
>> Can you try again?
>>
>> Christian
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Christian Grobmeier
>> I'd vote for this signature being valid to sign releases. Only incubator
>> releases right now, since it hasn't been signed by the Apache WOT. That can
>> be fixed at a Sign-a-Thon. ;-)
>>
> I'd vote for Apache Commons releases signed by any key thats in the
> KEYS file (regardless of WOT status -- keysigning would be good and is
> encouraged, but isn't a blocker).

I would be glad about that

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [releasing] PGP keys for code signing

Dave Meikle
In reply to this post by Rahul Akolkar
2009/5/6 Rahul Akolkar <[hidden email]>

> On Wed, May 6, 2009 at 10:43 AM, Craig L Russell <[hidden email]>
> wrote:
> > Much better!
> >
> <snip/>
> > [CraigRussell:~/Downloads] clr% gpg --verify
> > commons-chain-1.2-bin.tar.gz.asc
> > gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID
> 42196CA8
> > gpg: Good signature from "Christian Grobmeier (Apache Codesigning)
> > <[hidden email]>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the
> > owner.
> > Primary key fingerprint: 9D23 5338 96A9 7847 0358  5B62 86E0 2C5A 4219
> 6CA8
> >
> > I'd vote for this signature being valid to sign releases. Only incubator
> > releases right now, since it hasn't been signed by the Apache WOT. That
> can
> > be fixed at a Sign-a-Thon. ;-)
> >
> <snap/>
>
> I'd vote for Apache Commons releases signed by any key thats in the
> KEYS file (regardless of WOT status -- keysigning would be good and is
> encouraged, but isn't a blocker).


+1

Cheers,
Dave