Hi Tatu, On Sat, 2021-03-06 at 19:48 -0800, Tatu Saloranta wrote: > On Fri, Mar 5, 2021 at 10:22 AM 'Ward, Evan' via jackson-user > <[email protected]> wrote: > > > > Hi, > > > > First, thank you for making Jackson! > > Hi there! > > > > > I noticed while upgrading to a newer version of Jackson that the > > key > > used to sign releases changed with release 2.11.2. I checked the > > release notes, bud didn't see any mention of the change in keys. > > The > > problem is that I can't find the public key anywhere, which leaves > > me > > unable to verify the releases are authentic. So my question is > > threefold: > > > > 1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ? > > That would be me, and email associated with it should be > "[email protected]". > As per this: > > https://keys.openpgp.org/search?q=tatu.saloranta%40iki.fi
Thanks, some how I missed that. > > and I have tried my best to make it available through that key > server. > Apparently there are some oddities in gpg key publishing, > like as per: > > https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped > > > 2. Is that key authorized to make Jackson releases? > > Yes. Thanks for the confirmation. > > > 3. Can you publish it? > > I was under impression I had done that, but apparently there is no > functioning syncing/merging functionality across > various key servers these days; nor canonical way. > > > Either to a key server such as http://keyserver.ubuntu.com/ or > > I can try to see how to upload it there. Thanks, I see it there now. > > > following Apache's model to a KEYS file in your git repository. Or > > both > > would be even better so that it is easy to access via a standard > > protocol and it is clear that it is authorized to make releases for > > the > > Jackson project. > > Do you have an example project I could look at? I think I'd want to > add something on: > > https://github.com/FasterXML/jackson/ > > because there are more than a dozen Jackson repositories and it seems > counterproductive to have to update all of them > when gpg keys expire (previous one expired after 5 years but ideally > I > assume keys should be for even shorter timespans). Yes, makes sense. There doesn't seem to be much consensus on how to attribute which keys are authorized to make releases. Apache has a KEYS file in their SVN repository that only commiters can update. E.g. [1]. It's similar to the idea behind Let's Encrypt. Prove that you can edit a file that only a person trusted to make a release could edit (i.e. the KEYS file in SVN, or in your case a file in your GitHub repository), then that key will be trusted to make releases. I've also seen people upload it to their GitHub profile. Similar idea with the advantage that GitHub will show a check mark next to you commits if you sign them. Your public keys are then published at [2]. Then it can be checked that the person who made the release commit signed it with a key listed in their GitHub profile. Other projects don't seem to publish which keys are trusted to make releases, so that is when I ask on the mailing list. :) Thanks again for making Jackson! Regards, Evan [1] https://dist.apache.org/repos/dist/release/commons/KEYS [2] https://api.github.com/users/cowtowncoder/gpg_keys > > -+ Tatu +- > > > > > Best Regards, > > Evan > > > > -- > > You received this message because you are subscribed to the Google > > Groups "jackson-user" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/jackson-user/15be318d87d07640591f0cdd884f85d88a1af707.camel%40nrl.navy.mil > > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/6f252dcb1202cada8f83ae54583c3dd6f3f89065.camel%40nrl.navy.mil.
smime.p7s
Description: S/MIME cryptographic signature
