On Mon, Mar 8, 2021 at 7:10 AM 'Ward, Evan' via jackson-user <[email protected]> wrote: > > Hi Tatu, > > On Sat, 2021-03-06 at 19:48 -0800, Tatu Saloranta wrote: > > On Fri, Mar 5, 2021 at 10:22 AM 'Ward, Evan' via jackson-user > <[email protected]> wrote: > > > Hi, > > First, thank you for making Jackson! > > > Hi there! > > > I noticed while upgrading to a newer version of Jackson that the key > used to sign releases changed with release 2.11.2. I checked the > release notes, bud didn't see any mention of the change in keys. The > problem is that I can't find the public key anywhere, which leaves me > unable to verify the releases are authentic. So my question is > threefold: > > 1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ? > > > That would be me, and email associated with it should be > "[email protected]". > As per this: > > https://keys.openpgp.org/search?q=tatu.saloranta%40iki.fi > > Thanks, some how I missed that.
It is bit obscure; searching by hash did not quite seem to work... I am still not 100% sure what would be the best way to verify accessibility be. But at least I know now to get others involved when I need to switch keys again later in 2022, so double-check that they can see keys (I obviously can as my local system has them). > and I have tried my best to make it available through that key server. > Apparently there are some oddities in gpg key publishing, > like as per: > > https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped > > 2. Is that key authorized to make Jackson releases? > > > Yes. > > > Thanks for the confirmation. > > > 3. Can you publish it? > > > I was under impression I had done that, but apparently there is no > functioning syncing/merging functionality across > various key servers these days; nor canonical way. > > Either to a key server such as http://keyserver.ubuntu.com/ or > > > I can try to see how to upload it there. > > > Thanks, I see it there now. Ok good. > following Apache's model to a KEYS file in your git repository. Or both > would be even better so that it is easy to access via a standard > protocol and it is clear that it is authorized to make releases for the > Jackson project. > > > Do you have an example project I could look at? I think I'd want to > add something on: > > https://github.com/FasterXML/jackson/ > > because there are more than a dozen Jackson repositories and it seems > counterproductive to have to update all of them > when gpg keys expire (previous one expired after 5 years but ideally I > assume keys should be for even shorter timespans). > > > Yes, makes sense. There doesn't seem to be much consensus on how to attribute > which keys are authorized to make releases. Makes sense. > Apache has a KEYS file in their SVN repository that only commiters can > update. E.g. [1]. It's similar to the idea behind Let's Encrypt. Prove that > you can edit a file that only a person trusted to make a release could edit > (i.e. the KEYS file in SVN, or in your case a file in your GitHub > repository), then that key will be trusted to make releases. > > I've also seen people upload it to their GitHub profile. Similar idea with > the advantage that GitHub will show a check mark next to you commits if you > sign them. Your public keys are then published at [2]. Then it can be checked > that the person who made the release commit signed it with a key listed in > their GitHub profile. > > Other projects don't seem to publish which keys are trusted to make releases, > so that is when I ask on the mailing list. :) Yes, I think that is a good idea as this helps other users as well. I have been asked about the new key off-channel as well. I'll try to figure out ways to improve this aspect as well; right now I don't think there are other active developers with more experience on things like release management, so I am learning as we go. :-) > Thanks again for making Jackson! You are welcome! -+ Tatu +- > > Regards, > Evan > > [1] https://dist.apache.org/repos/dist/release/commons/KEYS > [2] https://api.github.com/users/cowtowncoder/gpg_keys > > > -+ Tatu +- > > > Best Regards, > Evan > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/15be318d87d07640591f0cdd884f85d88a1af707.camel%40nrl.navy.mil. > > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/6f252dcb1202cada8f83ae54583c3dd6f3f89065.camel%40nrl.navy.mil. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10hzJXXnU4Snedo364dqqOoVRYcrt3tca-SeEUQj%2Be64Hw%40mail.gmail.com.
