f506af1ff5
2 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Todd Zullinger
|
7c95c76e49 |
Update Junio's GPG key
The expiration of the signing subkey was recently extended. Ensure
we're using a current copy of the key to avoid any output from gpg
stating that the key is expired.
While our current usage of gpgv2 is not affected by the expired signing
subkey, anyone importing the key and using 'gpg2 --verify' would see
'Note: This key has expired!' in the output.
For reference, here is the process used to update the key:
(cd ~/src/git && git cat-file blob junio-gpg-pub | gpg2 --import)
fpr='96E07AF25771955980DAD10020D04E5A713660A7'
gpg2 --keyserver hkp://keys.gnupg.net --refresh-keys $fpr
gpg2 --export-options export-minimal --no-emit-version --armor \
--export $fpr > gpgkey-junio.asc
Here is the ouput from gpg2 --list-sigs¹ before:
pub rsa4096/20D04E5A713660A7 2011-10-01 [SC]
Key fingerprint = 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
uid Junio C Hamano <gitster@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <jch@google.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/B0B5E88696AFE6CB 2011-10-03 [S] [expired: 2015-09-21]
Key fingerprint = E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
sig 20D04E5A713660A7 2014-09-21 never Junio C Hamano <gitster@pobox.com>
and after:
pub rsa4096/20D04E5A713660A7 2011-10-01 [SC]
Key fingerprint = 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
uid Junio C Hamano <gitster@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <jch@google.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/B0B5E88696AFE6CB 2011-10-03 [S] [expires: 2020-07-26]
Key fingerprint = E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
sig 20D04E5A713660A7 2017-07-27 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/86B76D5D833262C4 2011-10-01 [E]
Key fingerprint = 1843 AEC2 2DD5 6B75 E554 3FEF 86B7 6D5D 8332 62C4
sig 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/7594EEC7B3F7CAC9 2014-09-20 [S] [expires: 2020-07-26]
Key fingerprint = DC3D 6C01 251E CA4B 1200 A7EE 7594 EEC7 B3F7 CAC9
sig 20D04E5A713660A7 2017-07-27 never Junio C Hamano <gitster@pobox.com>
¹ The full gpg2 command used was:
gpg2 --no-options --keyid-format long --with-fingerprint --with-subkey-fingerprint --list-options "show-sig-expire show-sig-subpackets show-unusable-uids show-unusable-subkeys no-show-uid-validity" --list-sigs 20D04E5A713660A7
|
||
|
Todd Zullinger
|
f5bc9a8383 |
Check upstream GPG signatures in %prep
Many years ago, the GPG signature file was included in the source list¹. A compromise at kernel.org caused the tarballs to move to googlecode.com for a number of releases and the signatures were not provided in an easily downloaded format². When the source location was moved back to kernel.org, the signature file had already been removed from the spec file and was not re-added³. There is an effort underway to make GPG signature verification a requirement when upstream provides signatures⁴. Regardless of whether this becomes a requirement in the packaging guidelines, verification of upstream signatures makes good sense. It also makes the process easier for git package maintainers, who are (or should be ;) doing this manually for each upstream git release. While adding the signatures to the source list, all non-upstream source files were moved to Source10 and above. This should make it easier to add new upstream source files in the future, avoiding the need for tedious (and error-prone) renumbering of existing sources. Remove the unused entry for Patch14 also. ¹ |