doc: ensure that GPG key used to sign the latest LTS release (12.6.1), as well as 13.12.0, & 8.16.0 is mentioned in README(.md) (#32559) #32560
Conversation
… is mentioned in README(.md) Update README.md. Fixes: nodejs#32559
haqer1
changed the title
|
I think this should be merged at present because users encounter 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946 key for the latest LTS release. If they won't encounter it for the next LTS release & going forward, then Myles Borins' key could be updated as needed afterwards... P.S. The point is to make it easier (& less scary) for users. |
Yes, both keys have been used. Based on this point, I'd suggest:
|
|
FYI: alternative fix-up approach is in #32565 (the 2 are mutually exclusive). |
|
Want to dig in on this a bit because I'm very confused. This is the same key I've been using for a while. I have a primary key and a subkey for signing. The documented key is my primary key, not the subkey... both are present when you examine the tag As you can see below. This is no different than a signature I did almost a year ago on the 8.x release line How are you validating the signature and what error are you seeing? |
|
Wanted to also show that on the keyserver the shortkey for both of these return the exact same primary key and show the same fingerprint (that we include in the readme) http://pool.sks-keyservers.net/pks/lookup?search=0xCC11F4C8 |
The command used (as suggested in https://github.com/nodejs/node#verifying-binaries) & the error that a user not having any of these 2 keys (i.e., all new users, etc.) gets is (similar to what's on the bottom of the original issue post (#32559 (comment))): And as i've mentioned on the issue, that's confusing because 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946 key is not listed on the README. Thus a security-concious dude(tte) would be required to spend time on figuring out what's going on. Obviously, that's not how it should be. P.S. This error can be reproduced after importing the relevant key by running (for instance): |
I've spent a few more minutes, & in fact the same situation applies to 8.16.0 & 13.12.0, which is an argument in favor of merging this PR rather than #32565: .../nodejs/8.16.0$ .../nodejs/13.12.0$ |
|
I'll be honest that I'm still not 100% convinced that this is the right thing to do. Pulling my primary key from the keyserver includes the subkey that the releases are signed with, and the subkey has the signature of the primary key which is currently documented. This has worked for 4 years without issue, and even allowed me to move between subkeys that I used to signed without having to update the documentation. Is there someone from the project with more gpg experience who can chime in on what the appropriate thing to do here would be? I don't want to block, but am not going to approve this either without a bit more research. |
|
IMHO: World is confusing enough, & time is a valuable resource. If confusions can be avoided, & time can be economized, it should be done. |
|
@jasnell you seem to also have a primary key in the README but use a separate subkey for signing... thoughts on this? |
|
I think I'm -1 on this change. The instructions are clear that the first necessary step is to import the releaser keys (https://github.com/nodejs/node#release-keys) and once that is done the signature verifies correctly without importing the subkey directly. |
haqer1
changed the title
|
Landed #32591 instead |
Checklist