You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/libuv/libuv/blob/v1.x/MAINTAINERS.md lists project maintainers, their GitHub usernames, and their PGP key fingerprints (if any). It also describes how pubkeys are stored in the repo as blobs and then taggged.
The problem is, AFAIK there's no way in the github web UI to access those pubkeys. If you clone the repo, you can see the pubkey tags with git tag --list 'pubkey*', view the contents with git show pubkey-vtjnash or similar just fine. But I can't find a way to access them without cloning the repo. Which is a lot of work to go through for someone (or some tooling) that wants to save keys with which to verify tarballs.
The list of users and fingerprints in MAINTAINERS.md can almost be used another way. Because GitHub user account names are specified, one can hit https://github.com/${github_user}.gpg ... but only for users whose keys are known to GitHub. Some of them are not:
$ for user in $(egrep -B1 'GPG key:' MAINTAINERS.md | sed -n -E 's/.*\*\* +\( *\[@([^] ]+)\].*/\1/p') ; do
echo -n "$user "
curl -s "https://github.com/${user}.gpg" | egrep -q '^mQ' && echo yes || echo no
done
bnoordhuis no
vtjnash yes
richardlau yes
santigimeno yes
saghul no
trevnorris yes
cjihrig yes
indutny no
[Ugly hack because GitHub always returns "BEGIN PUBLIC KEY BLOCK..." if the user exists, with "Note: This user hasn't uploaded any GPG keys." if there's no key.]
$ for key in $(egrep 'GPG key:' MAINTAINERS.md | sed 's/^ *- GPG key: //; s/ (pubkey.*//; s/ //g') ; do
echo -n "$key "
curl -s "https://keys.openpgp.org/vks/v1/by-fingerprint/${key}" | egrep -q 'BEGIN PGP' && echo yes || echo no
done
D77B1E34243FBAF05F8E9CC34F55C8C846AB89B9 yes
AEAD0A4B686767751A0E4AEF34A25FB128246514 yes
CFBB9CA9A5BEAFD70E2B3C5A79A67C55A3679C8B no
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C yes
612F0EAD9401622379DF4402F28C3C8DA33C03BE yes
FDF519364458319FA8233DC9410E5553AE9BC059 yes
AEFC279A0C9306767E5829A1251CA676820DC7F3 no
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 yes
57353E0DBDAAA7E839B66A1AFF47D5E4AD8B4FDC yes
AF2EEA41EC3447BFDD86FED9D7063CCE19B7E890 yes
Is there a plain old export of the relevant PGP public keys somewhere that's easy to fetch, and I'm just missing it? If not, could at least one of GitHub ${user}.gpg or https://keys.openpgp.org/ publication be standardized please?
The text was updated successfully, but these errors were encountered:
hlein
changed the title
GPG keys of signers can't be retrieved from https://github.com/ nor https://libuv.org/
GPG keys of maintainers can't be retrieved from https://github.com/ nor https://libuv.org/
Feb 9, 2024
...Unless I am just blind.
Releases at e.g. https://dist.libuv.org/dist/v1.48.0/ include a companion
.sign
file, yay!https://github.com/libuv/libuv/blob/v1.x/MAINTAINERS.md lists project maintainers, their GitHub usernames, and their PGP key fingerprints (if any). It also describes how pubkeys are stored in the repo as blobs and then taggged.
The problem is, AFAIK there's no way in the github web UI to access those pubkeys. If you clone the repo, you can see the pubkey tags with
git tag --list 'pubkey*'
, view the contents withgit show pubkey-vtjnash
or similar just fine. But I can't find a way to access them without cloning the repo. Which is a lot of work to go through for someone (or some tooling) that wants to save keys with which to verify tarballs.The list of users and fingerprints in
MAINTAINERS.md
can almost be used another way. Because GitHub user account names are specified, one can hit https://github.com/${github_user}.gpg ... but only for users whose keys are known to GitHub. Some of them are not:[Ugly hack because GitHub always returns "BEGIN PUBLIC KEY BLOCK..." if the user exists, with "Note: This user hasn't uploaded any GPG keys." if there's no key.]
Meanwhile some (a different some) are registered with the https://keys.openpgp.org/ keyservers:
Is there a plain old export of the relevant PGP public keys somewhere that's easy to fetch, and I'm just missing it? If not, could at least one of GitHub
${user}.gpg
or https://keys.openpgp.org/ publication be standardized please?The text was updated successfully, but these errors were encountered: