[Bug 2073322] Re: Upstream microrelease 6.10

Mon, 23 Sep 2024 10:05:33 -0700 

Here are my checks:


Current signing key in debian/upstream/signing-key.asc is:

$ gpg debian/upstream/signing-key.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-10-25 [SC]
      B06884EDB779C89B044E64E3CD6DBF8EF3B17D3E
uid           Amos Jeffries (Squid Signing Key) <[email protected]>


squid 6.10 tarball was signed by:
gpg: Signature made Sat 08 Jun 2024 11:53:47 AM -03
gpg:                using EDDSA key 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865
gpg: Good signature from "Francesco Chemolli (code signing key) 
<[email protected]>" [unknown]


29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 is present in 
https://www.squid-cache.org/pgp.asc


29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 was signed by:

$ gpg --list-sigs 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865
pub   ed25519 2021-05-15 [SC]
      29B4B1F7CE03D1B1DED22F3028F85029FEF6E865
uid           [ unknown] Francesco Chemolli (code signing key) 
<[email protected]>
sig 3        28F85029FEF6E865 2021-05-15  [self-signature]
sig          CD6DBF8EF3B17D3E 2024-01-23  Amos Jeffries (Squid Signing Key) 
<[email protected]>
sub   cv25519 2021-05-15 [E]
sig          28F85029FEF6E865 2021-05-15  [self-signature]


Key CD6DBF8EF3B17D3E:
$ gpg --list-keys CD6DBF8EF3B17D3E
pub   rsa4096 2016-10-25 [SC]
      B06884EDB779C89B044E64E3CD6DBF8EF3B17D3E
uid           [ unknown] Amos Jeffries (Squid Signing Key) 
<[email protected]>

That is the B06884EDB779C89B044E64E3CD6DBF8EF3B17D3E key that is in the
debian/upstream/signing-key.asc file.

Therefore, the previous signing key signed the new key, establishing the
chain of trust.


In summary, given that:
a) the key that signed the 6.10 release tarball is present in 
https://www.squid-cache.org/pgp.asc
b) the key that signed the 6.10 release tarball was signed by the previous key 
we have in d/u/signing-key.asc

I conclude that this is enough to add the new signing key to
d/u/signing-key.asc, and validate the 6.10 tarball.

Could you please file a PR in salsa with this reasoning, if you agree
with it of course, updating the key? Let's see if they act on it today
or tomorrow.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073322

Title:
  Upstream microrelease 6.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2073322/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to