[1.1] release: add runc.keyring file#3838
Merged
AkihiroSuda merged 8 commits intoopencontainers:release-1.1from Apr 26, 2023
cyphar:1.1-release-gpgkeys
Merged
[1.1] release: add runc.keyring file#3838AkihiroSuda merged 8 commits intoopencontainers:release-1.1from cyphar:1.1-release-gpgkeys
AkihiroSuda merged 8 commits intoopencontainers:release-1.1from
cyphar:1.1-release-gpgkeys
Conversation
In order to allow any of the maintainers to cut releases for runc, create a keyring file that distributions can use to verify that releases are signed by one of the maintainers. The format matches the gpg-offline format used by openSUSE packaging, but it can be easily imported with "gpg --import" so any distribution should be able to handle this keyring format wtihout issues. Each key includes the GitHub handle of the associated user. There isn't any way for this information to be automatically verified (outside of using something like keybase.io) but since all changes of this file need to be approved by maintainers this is okay for now. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
We need to make sure the release is being signed by a key that is actually listed as a trusted signing key, and we also need to ask the person cutting the release whether the list of trusted keys is acceptable. Also add some verification checks after a release is signed to make sure everything was signed with the correct keys. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
These checks ensure that all of the keys in the runc.keyring list are actually the keys of the specified user and that the users themselves are actually maintainers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
keyid 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4 This is the signing key I have used for all previous runc releases. You can also verify that this is the key trusted by openSUSE for all of our releases. Ref: https://keyserver.ubuntu.com/pks/lookup?search=5F36C6C61B5460124A75F5A69E18AA267DDB8DB4&fingerprint=on&op=index Ref: https://build.opensuse.org/package/view_file/openSUSE:Factory/runc/runc.keyring?expand=1&rev=54 Signed-off-by: Aleksa Sarai <asarai@suse.de>
keyid C9C370B246B09F6DBCFC744C34401015D1D2D386 This is my personal signing key, which I've used to sign the vast majority of my commits on GitHub. While I usually sign releases using my <asarai@suse.de> signing key, it doesn't hurt to include this key too. Ref: https://keyserver.ubuntu.com/pks/lookup?search=C9C370B246B09F6DBCFC744C34401015D1D2D386&fingerprint=on&op=index Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Contributor
|
Member
Probably we still have to make a couple of 1.1 releases.
No
👍 |
This comment was marked as off-topic.
This comment was marked as off-topic.
Contributor
|
Guess we also need to backport #3840 |
Member
Author
I think it would be a good idea because it would mean we'd have |
Add a little bit more diagnostic information to "make validate-keyring". Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Merged
AkihiroSuda
approved these changes
Apr 26, 2023
Contributor
|
@cyphar this needs a rebase |
Contributor
(nevermind, I was able to make github merge it) |
This was referenced May 22, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of:
In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.
The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with
gpg --importso any distributionshould be able to handle this keyring format wtihout issues.
Each key includes the GitHub handle of the associated user, and a new
verification step is added to CI to ensure that the key is actually one
of the keys the user has registered with GitHub (as well as being a
maintainer).
Signed-off-by: Aleksa Sarai cyphar@cyphar.com