-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release PGP key strategy and policy #709
Comments
I have a proposal. We need a rogue server without ssh access and encrypted file system. The server will be placed on the moving truck and will carry the private key on the hard drive. Only if the majority of current TC will sign the message - it'll generate the revocation request. |
@indutny only a single server and truck carrying the entire key? surely you jest! we must split that key up across at least two separate trucks, driven by individuals of different nationalities. |
from this: https://sks-keyservers.net/status/ it looks like pgp.mit.edu is in the sks-keyservers.net pool |
There is a delay of ~30 min after submission before the key propagates to all the servers in the pool. I think that's worth putting up with - a pool of servers should be more reliable than a centralized service. |
I know this is ancient history, but it seems the most appropriate place to report the issue. SKS key servers is a dead project and it is not (and has not been) a reliable mechanism for handling PGP keys for some time, and recently suffered a devastating attack that all but destroyed the network. Instead, a simple solution to distributing the verified release keys for authorized members of the release team would be to publish them to nodejs.org directly and/or to this repo (e.g: to a keys subdirectory). |
There's also a new keyserver maintained by OpenPGP: https://keys.openpgp.org/about/news#2019-06-12-launch (some notes in there about SKS). Not a bad idea putting the keys directly into the repo, and you're probably right that we should migrate our instructions. I don't suppose you'd be up for starting a pull request to make this happen @canterberry? doc/releasekeys/ might be a good place to put them. |
Continuation of #681 but specifically on the topic of PGP keys for signing releases.
Context: release builds come from a git tag of the form
vx.y.z
which is signed by an authorized releaser (seegit tag -v v1.0.4
or any other release tag) with their personal PGP key. Release builds available on iojs.org have a have a SHASUMS256.txt file generated for all downloadable assets (minus the docs/ directory). This file is also signed with the same key that signed the git tag for that release and the signed file is made available as SHASUMS256.txt.asc. An ASCII armoured version of their public key is also made available as SHASUMS256.txt.gpg for convenience.The procedure I put in place in #681 for releases says that:
Questions for discussion:
@bnoordhuis asked if we could
My response is that I don't feel strongly about this but:
@chrisdickinson had trouble submitting to sks-keyservers.net and @indutny suggested https://pgp.mit.edu/ might be a better alternative
My response is:
Both of these points need discussion, I'm labelling this as tc-agenda but please don't take that as a sign that this is only for the TC to discuss. Opinions welcome from those with expertise on this matter.
The text was updated successfully, but these errors were encountered: