Page MenuHomePhabricator

Add keys to source package
ClosedPublic

Authored by jasonbcox on Jan 4 2020, 01:20.

Details

Summary

contrib/gitian-signing contains the fingerprints of the release signing keys as well as a script to check/refresh those keys.
These are useful to users wishing to verify the integrity of their source and binaries.

Inspired by https://reviews.bitcoinabc.org/D4807#116075

Test Plan
ninja package_source
tar -xzvf bitcoin-abc-0.20.10.tar.gz
ls bitcoin-abc-0.20.10/contrib/gitian-signing  # verify files are part of the source package

Diff Detail

Repository
rABC Bitcoin ABC
Branch
gitian-keys-in-src
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 8728
Build 15441: Default Diff Build & Tests
Build 15440: arc lint + arc unit

Event Timeline

deadalnix requested changes to this revision.Jan 4 2020, 22:24

Distributing the keys to verify the authenticity and integrity of a package as part of the package makes the whole procedure pointless.

This revision now requires changes to proceed.Jan 4 2020, 22:24

Distributing the keys to verify the authenticity and integrity of a package as part of the package makes the whole procedure pointless.

While true on the surface, this is not about providing a process for verifying the integrity of a given source package using the keys inside that same package. The intent is to provide versioned keys to users so they can begin to verify downloads from us. Not doing so is an unnecessary hinderance on UX for first-time key importers. Once a user has the keys, they are no longer reliant on the content of the keys file for anything other than updates to the keys. But since they already have a copy of the keys from a previous release, they'll be able to verify that changes to the keys are legit.

I agree with that rationale, in short "if you have any trusted copy of ABC, it contains the keys to verify any new version".

However it seems it might make more sense to have the keys as part of the repo itself, no? Then the keys will also be accessible on e.g., github.

Edit: Oh I see, the key IDs are in the repo indeed -- contrib/gitian-signing/keys.txt

This revision is now accepted and ready to land.Jan 12 2020, 15:59
This revision was automatically updated to reflect the committed changes.