Here's what I came up with: https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 This new approach verifies that the file was signed by anyone who's listed in the KEYS file (the one hosted on Apache servers, not the one in the repo) and that the signature matches the one listed on Apache's site.
CTR? PR? Cheers, Daniel On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz <[email protected]> wrote: > I guess we could use the link above, but we would still have to have a > hard coded list of committers, unless we want to allow any Apache committer > to sign the artifacts. But it still sounds more secure to do it this way, > I'll give it a try tomorrow. > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <[email protected]> > wrote: > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading >> about how to validate the authenticity of a key a bit and it seems like a >> reasonable level of validation would be to verify the key against the list >> of apache committers: >> >> https://people.apache.org/keys/committer/ >> >> I guess validate-distribution.sh does that in a sense by allowing through >> certain keys by hardcoding known ones directly into the shell script. >> Maybe >> just leave it like that and we just add new keys as needed? or is it easy >> to alter the validate-distribution.sh script to verify the key against >> that >> link above? >> >
