Signing releases

[cinemast]

Could you attach gpg signatures to your releases?

e.g. using

gpg --armor --detach-sign 1.3.0.tar.gz

The resulting file 1.3.0.tar.gz.asc can then easily be added to the release via the file upload to attach "binaries" provided by github.

[cinemast]

How can I help you with that?

[cdunn2001]

I need help from other team members. I expect it to take a couple months for us to change our methodology. The code reversions have priority. Is this a blocker?

[cinemast]

No not at all, just something that is common in debian packaging now.

[cdunn2001]

0.8.0 is signed. Please let me know if that works before I sign other releases. I uploaded the pgp public key 1E069516 to keys.gnupg.net.

[cinemast]

gpg --verify jsoncpp-0.8.0.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.8.0.tar.gz'
gpg: Signature made Wed 11 Feb 2015 06:49:44 PM CET using RSA key ID 1E069516
gpg: Good signature from "Christopher Dunn <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FA3 3EE4 5C47 551D 6342  91E8 BE47 603D 1E06 9516

Looks Good!

[cdunn2001]

Thanks, Peter.

[cinemast]

Hi!

Your current release 0.10.2 does not verify against the signature. Could you take a look at that?

[cdunn2001]

Bad news. I had my laptop stolen. The keys were password-protected, so no worries. But I might have to create a new signing key. Hopefully I'll have time this weekend.

[cdunn2001]

I just signed with a new signing key. Try it again.

[cinemast]

No. Still bad signature:

 gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon 27 Apr 2015 06:52:06 AM CEST using RSA key ID 2948AE83
gpg: BAD signature from "Christopher Dunn <[email protected]>"

[cdunn2001]

That was signed with an older key. It should work now.

[cinemast]

It still doesn't work. How do you create the signature? It was already working in the past.

[cinemast]

$> gpg --recv-keys 3FFC2B3B
gpg: requesting key 3FFC2B3B from hkp server pgp.mit.edu
gpg: key 3FFC2B3B: public key "Christopher Dunn <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$> gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon 29 Jun 2015 07:35:08 AM CEST using RSA key ID 3FFC2B3B
gpg: BAD signature from "Christopher Dunn <[email protected]>"

$> cat jsoncpp-0.10.2.tar.gz.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJVkNkMAAoJEHxz/rs//Cs7pOAH/1SYlJkt1iADcDD0EHsie80v
StHjptz5Ebq7le3uTTHiAFAx/5/jFQb1FfA3eBMR4RjNi4sKNtoSYz26/Hz/X3tZ
dOt+uzQn5gLnDA9jRviItWg3yGj+U6iyOgxHN6ZL9wreHg//eeORz8LYf9cgXEOd
8UOKM5gPK7KYcXwv8H6Q5weMvqtsmR8xnqOOChgoQgD+ChhS9p1Oh1rQojWg+Pia
FvvgRh0HwC/0PM6BJY03UBCZnDJWKc1zXwS7dLlhJ53L3B92wbiQNT5TGGiAhKHL
ck/AtpYATiO2QX3HOQtphKTZnb3HGxQg0mh1RMcqYI5X60pnYSqGwCQ0wylpnCE=
=PYDo
-----END PGP SIGNATURE-----

[cdunn2001]

$ gpg --verify jsoncpp-0.10.2.tar.gz.asc
gpg: assuming signed data in `jsoncpp-0.10.2.tar.gz'
gpg: Signature made Mon Jun 29 00:35:08 2015 CDT using RSA key ID 3FFC2B3B
gpg: Good signature from "Christopher Dunn <[email protected]>"
$ cat jsoncpp-0.10.2.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJVkNkMAAoJEHxz/rs//Cs7pOAH/1SYlJkt1iADcDD0EHsie80v
StHjptz5Ebq7le3uTTHiAFAx/5/jFQb1FfA3eBMR4RjNi4sKNtoSYz26/Hz/X3tZ
dOt+uzQn5gLnDA9jRviItWg3yGj+U6iyOgxHN6ZL9wreHg//eeORz8LYf9cgXEOd
8UOKM5gPK7KYcXwv8H6Q5weMvqtsmR8xnqOOChgoQgD+ChhS9p1Oh1rQojWg+Pia
FvvgRh0HwC/0PM6BJY03UBCZnDJWKc1zXwS7dLlhJ53L3B92wbiQNT5TGGiAhKHL
ck/AtpYATiO2QX3HOQtphKTZnb3HGxQg0mh1RMcqYI5X60pnYSqGwCQ0wylpnCE=
=PYDo
-----END PGP SIGNATURE-----
$ md5 jsoncpp-0.10.2.tar.gz
MD5 (jsoncpp-0.10.2.tar.gz) = c7cbf26153ee6d0c3f4d380c2c51f679

Maybe you need to re-download the tarball?

[cdunn2001]

Try this one:

• https://github.com/open-source-parsers/jsoncpp/releases/tag/0.10.4

I think I had changed the tag for yours, because I lost the old signing key. But the latest should be signed properly.

[cinemast]

Sorry, its still not working. Please ask also someone else to verify. I still get bad signatures for 0.10.4

I don't know whats wrong here. If someone else also has trouble, maybe it is something on your side.
How exactly do you sign your releases?

[cdunn2001]

I haven't changed the procedure since when it was working. All that changed is the signing key, which I have published.

make -f dev.makefile sign

Please ask also someone else to verify.

Ok.

[cdunn2001]

• https://github.com/open-source-parsers/jsoncpp/releases/tag/0.10.5

Could you try the signature one more time? I just explicitly copy/pasted my public key armor to the MIT server.

I'll try to get someone else to verify over the weekend.

[cdunn2001]

I'm thinking to switch to GitHub's new "Signature Verification". Any objection?

[cinemast]

Well its not the same as signing tarballs, but better than having nothing. I will give it a deeper look but anyway it is your decision.

[baylesj]

I have added a GPG key to my account to enable commits to be Signature Verified. Other than adding this to a CONTRIBUTING.md, is there any further action? Should we also be signing tarballs? I'd love to satisfactorily close this issue.

[cinemast]

Signing tarballs would be great.

[baylesj]

I would be open to signing tarballs moving forward but we would need to distribute the private key to more contributors or have @cdunn2001 run all releases moving forward.