Release Signing Key Change with 2.11.2

[Ward, Evan]

Hi,

First, thank you for making Jackson!

I noticed while upgrading to a newer version of Jackson that the key
used to sign releases changed with release 2.11.2. I checked the
release notes, bud didn't see any mention of the change in keys. The
problem is that I can't find the public key anywhere, which leaves me
unable to verify the releases are authentic. So my question is
threefold:

1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ?

2. Is that key authorized to make Jackson releases?

3. Can you publish it?

Either to a key server such as http://keyserver.ubuntu.com/ or
following Apache's model to a KEYS file in your git repository. Or both
would be even better so that it is easy to access via a standard
protocol and it is clear that it is authorized to make releases for the
Jackson project.

Best Regards,
Evan

[Evan Ward]

PS Apologies if this is a duplicate post. I didn't see the email I sent arrive to the list.

[Tatu Saloranta]

On Fri, Mar 5, 2021 at 10:22 AM 'Ward, Evan' via jackson-user
<jackso...@googlegroups.com> wrote:
>
> Hi,
>
> First, thank you for making Jackson!

Hi there!

>
> I noticed while upgrading to a newer version of Jackson that the key
> used to sign releases changed with release 2.11.2. I checked the
> release notes, bud didn't see any mention of the change in keys. The
> problem is that I can't find the public key anywhere, which leaves me
> unable to verify the releases are authentic. So my question is
> threefold:
>
> 1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ?

That would be me, and email associated with it should be
"tatu.sa...@iki.fi".
As per this:

https://keys.openpgp.org/search?q=tatu.saloranta%40iki.fi

and I have tried my best to make it available through that key server.
Apparently there are some oddities in gpg key publishing,
like as per:

https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped

> 2. Is that key authorized to make Jackson releases?

Yes.

> 3. Can you publish it?

I was under impression I had done that, but apparently there is no
functioning syncing/merging functionality across
various key servers these days; nor canonical way.

> Either to a key server such as http://keyserver.ubuntu.com/ or

I can try to see how to upload it there.

> following Apache's model to a KEYS file in your git repository. Or both
> would be even better so that it is easy to access via a standard
> protocol and it is clear that it is authorized to make releases for the
> Jackson project.

Do you have an example project I could look at? I think I'd want to
add something on:

https://github.com/FasterXML/jackson/

because there are more than a dozen Jackson repositories and it seems
counterproductive to have to update all of them
when gpg keys expire (previous one expired after 5 years but ideally I
assume keys should be for even shorter timespans).

-+ Tatu +-

>
> Best Regards,
> Evan
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/15be318d87d07640591f0cdd884f85d88a1af707.camel%40nrl.navy.mil.

[Ward, Evan]

Hi Tatu,

On Sat, 2021-03-06 at 19:48 -0800, Tatu Saloranta wrote:

On Fri, Mar 5, 2021 at 10:22 AM 'Ward, Evan' via jackson-user

<jackso...@googlegroups.com> wrote:

Hi,

First, thank you for making Jackson!

Hi there!

I noticed while upgrading to a newer version of Jackson that the key

used to sign releases changed with release 2.11.2. I checked the

release notes, bud didn't see any mention of the change in keys. The

problem is that I can't find the public key anywhere, which leaves me

unable to verify the releases are authentic. So my question is

threefold:

1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ?

That would be me, and email associated with it should be

"tatu.sa...@iki.fi".

As per this:

https://keys.openpgp.org/search?q=tatu.saloranta%40iki.fi

Thanks, some how I missed that.

and I have tried my best to make it available through that key server.

Apparently there are some oddities in gpg key publishing,

like as per:

https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped

2. Is that key authorized to make Jackson releases?

Yes.

Thanks for the confirmation.

3. Can you publish it?

I was under impression I had done that, but apparently there is no

functioning syncing/merging functionality across

various key servers these days; nor canonical way.

Either to a key server such as http://keyserver.ubuntu.com/ or

I can try to see how to upload it there.

Thanks, I see it there now.

following Apache's model to a KEYS file in your git repository. Or both

would be even better so that it is easy to access via a standard

protocol and it is clear that it is authorized to make releases for the

Jackson project.

Do you have an example project I could look at? I think I'd want to

add something on:

https://github.com/FasterXML/jackson/

because there are more than a dozen Jackson repositories and it seems

counterproductive to have to update all of them

when gpg keys expire (previous one expired after 5 years but ideally I

assume keys should be for even shorter timespans).

Yes, makes sense. There doesn't seem to be much consensus on how to attribute which keys are authorized to make releases.

Apache has a KEYS file in their SVN repository that only commiters can update. E.g. [1]. It's similar to the idea behind Let's Encrypt. Prove that you can edit a file that only a person trusted to make a release could edit (i.e. the KEYS file in SVN, or in your case a file in your GitHub repository), then that key will be trusted to make releases.

I've also seen people upload it to their GitHub profile. Similar idea with the advantage that GitHub will show a check mark next to you commits if you sign them. Your public keys are then published at [2]. Then it can be checked that the person who made the release commit signed it with a key listed in their GitHub profile.

Other projects don't seem to publish which keys are trusted to make releases, so that is when I ask on the mailing list. :)

Thanks again for making Jackson!

Regards,

Evan

[1] https://dist.apache.org/repos/dist/release/commons/KEYS

[2] https://api.github.com/users/cowtowncoder/gpg_keys

[Tatu Saloranta]

On Mon, Mar 8, 2021 at 7:10 AM 'Ward, Evan' via jackson-user

<jackso...@googlegroups.com> wrote:
>
> Hi Tatu,
>
> On Sat, 2021-03-06 at 19:48 -0800, Tatu Saloranta wrote:
>
> On Fri, Mar 5, 2021 at 10:22 AM 'Ward, Evan' via jackson-user
> <jackso...@googlegroups.com> wrote:
>
>
> Hi,
>
> First, thank you for making Jackson!
>
>
> Hi there!
>
>
> I noticed while upgrading to a newer version of Jackson that the key
> used to sign releases changed with release 2.11.2. I checked the
> release notes, bud didn't see any mention of the change in keys. The
> problem is that I can't find the public key anywhere, which leaves me
> unable to verify the releases are authentic. So my question is
> threefold:
>
> 1. Who owns 0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 ?
>
>
> That would be me, and email associated with it should be
> "tatu.sa...@iki.fi".
> As per this:
>
> https://keys.openpgp.org/search?q=tatu.saloranta%40iki.fi
>
> Thanks, some how I missed that.

It is bit obscure; searching by hash did not quite seem to work...
I am still not 100% sure what would be the best way to verify accessibility be.
But at least I know now to get others involved when I need to switch
keys again later in 2022,
so double-check that they can see keys (I obviously can as my local
system has them).

> and I have tried my best to make it available through that key server.
> Apparently there are some oddities in gpg key publishing,
> like as per:
>
> https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped
>
> 2. Is that key authorized to make Jackson releases?
>
>
> Yes.
>
>
> Thanks for the confirmation.
>
>
> 3. Can you publish it?
>
>
> I was under impression I had done that, but apparently there is no
> functioning syncing/merging functionality across
> various key servers these days; nor canonical way.
>
> Either to a key server such as http://keyserver.ubuntu.com/ or
>
>
> I can try to see how to upload it there.
>
>
> Thanks, I see it there now.

Ok good.

> following Apache's model to a KEYS file in your git repository. Or both
> would be even better so that it is easy to access via a standard
> protocol and it is clear that it is authorized to make releases for the
> Jackson project.
>
>
> Do you have an example project I could look at? I think I'd want to
> add something on:
>
> https://github.com/FasterXML/jackson/
>
> because there are more than a dozen Jackson repositories and it seems
> counterproductive to have to update all of them
> when gpg keys expire (previous one expired after 5 years but ideally I
> assume keys should be for even shorter timespans).
>
>
> Yes, makes sense. There doesn't seem to be much consensus on how to attribute which keys are authorized to make releases.

Makes sense.

> Apache has a KEYS file in their SVN repository that only commiters can update. E.g. [1]. It's similar to the idea behind Let's Encrypt. Prove that you can edit a file that only a person trusted to make a release could edit (i.e. the KEYS file in SVN, or in your case a file in your GitHub repository), then that key will be trusted to make releases.
>
> I've also seen people upload it to their GitHub profile. Similar idea with the advantage that GitHub will show a check mark next to you commits if you sign them. Your public keys are then published at [2]. Then it can be checked that the person who made the release commit signed it with a key listed in their GitHub profile.
>
> Other projects don't seem to publish which keys are trusted to make releases, so that is when I ask on the mailing list. :)

Yes, I think that is a good idea as this helps other users as well. I
have been asked about the new key off-channel as well.
I'll try to figure out ways to improve this aspect as well; right now
I don't think there are other active developers with more experience
on things like release management, so I am learning as we go. :-)

> Thanks again for making Jackson!

You are welcome!

-+ Tatu +-

>
> Regards,
> Evan
>
> [1] https://dist.apache.org/repos/dist/release/commons/KEYS
> [2] https://api.github.com/users/cowtowncoder/gpg_keys
>
>
> -+ Tatu +-
>
>
> Best Regards,
> Evan
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/15be318d87d07640591f0cdd884f85d88a1af707.camel%40nrl.navy.mil.
>
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/6f252dcb1202cada8f83ae54583c3dd6f3f89065.camel%40nrl.navy.mil.