I think that approach makes sense. From my perspective i don't think this needs a PR. maybe just wait until end of day friday to CTR it in? this discussion basically serves as review imo.
On Thu, Apr 5, 2018 at 11:43 AM, Daniel Kuppitz <[email protected]> wrote: > Here's what I came up with: > https://gist.github.com/dkuppitz/55d62c451a52d028825ea73803ae6320 > This new approach verifies that the file was signed by anyone who's listed > in the KEYS file (the one hosted on Apache servers, not the one in the > repo) > and that the signature matches the one listed on Apache's site. > > CTR? PR? > > Cheers, > Daniel > > > On Wed, Apr 4, 2018 at 2:28 PM, Daniel Kuppitz <[email protected]> wrote: > > > I guess we could use the link above, but we would still have to have a > > hard coded list of committers, unless we want to allow any Apache > committer > > to sign the artifacts. But it still sounds more secure to do it this way, > > I'll give it a try tomorrow. > > > > > > On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <[email protected]> > > wrote: > > > >> Kuppitz, just thought I'd start a fresh thread for this gpg issue. > Reading > >> about how to validate the authenticity of a key a bit and it seems like > a > >> reasonable level of validation would be to verify the key against the > list > >> of apache committers: > >> > >> https://people.apache.org/keys/committer/ > >> > >> I guess validate-distribution.sh does that in a sense by allowing > through > >> certain keys by hardcoding known ones directly into the shell script. > >> Maybe > >> just leave it like that and we just add new keys as needed? or is it > easy > >> to alter the validate-distribution.sh script to verify the key against > >> that > >> link above? > >> > > >
