Page MenuHomePhabricator

Add keys to source package
ClosedPublic

Authored by jasonbcox on Sat, Jan 4, 01:20.

Details

Reviewers
deadalnix
Group Reviewers
Restricted Project
Commits
rABC67412d1ef956: Add keys to source package
Summary

contrib/gitian-signing contains the fingerprints of the release signing keys as well as a script to check/refresh those keys.
These are useful to users wishing to verify the integrity of their source and binaries.

Inspired by https://reviews.bitcoinabc.org/D4807#116075

Test Plan
ninja package_source
tar -xzvf bitcoin-abc-0.20.10.tar.gz
ls bitcoin-abc-0.20.10/contrib/gitian-signing  # verify files are part of the source package

Diff Detail

Repository
rABC Bitcoin ABC
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jasonbcox created this revision.Sat, Jan 4, 01:20
Herald added a reviewer: Restricted Project. · View Herald TranscriptSat, Jan 4, 01:20
deadalnix requested changes to this revision.Sat, Jan 4, 22:24

Distributing the keys to verify the authenticity and integrity of a package as part of the package makes the whole procedure pointless.

This revision now requires changes to proceed.Sat, Jan 4, 22:24
jasonbcox requested review of this revision.Mon, Jan 6, 16:56

Distributing the keys to verify the authenticity and integrity of a package as part of the package makes the whole procedure pointless.

While true on the surface, this is not about providing a process for verifying the integrity of a given source package using the keys inside that same package. The intent is to provide versioned keys to users so they can begin to verify downloads from us. Not doing so is an unnecessary hinderance on UX for first-time key importers. Once a user has the keys, they are no longer reliant on the content of the keys file for anything other than updates to the keys. But since they already have a copy of the keys from a previous release, they'll be able to verify that changes to the keys are legit.

markblundeberg added a subscriber: markblundeberg.EditedSun, Jan 12, 08:33

I agree with that rationale, in short "if you have any trusted copy of ABC, it contains the keys to verify any new version".

However it seems it might make more sense to have the keys as part of the repo itself, no? Then the keys will also be accessible on e.g., github.

Edit: Oh I see, the key IDs are in the repo indeed -- contrib/gitian-signing/keys.txt

deadalnix accepted this revision.Sun, Jan 12, 15:59
This revision is now accepted and ready to land.Sun, Jan 12, 15:59
This revision was automatically updated to reflect the committed changes.