Either ensure that specific GPG keys used to sign releases are mentioned in README(.md) or indicate that the key could be a sub-key of a key listed (which itself isn't listed), with a sentence or 2 to minimize the time spent on sub-key aspect, if applicable #32559
Comments
… is mentioned in README(.md) Update README.md. Fixes: nodejs#32559
|
I see that the 2 keys are related. Yet, it's confusing to see a key that's not documented on the README: this requires the user to spend extra time on verifying what's going on. P.S. All the other release developers have 1 key each on README, so i'm not sure whether listing both related keys for 1 release developers is an option (although it would be sufficient for verification purposes). My 2 cents. |
|
@haqer1 problem with GPG/PGP keys is being discussed for a long time now:
It looks like there will be a separate repository for release keys (although it still would need to be kept up-to-date with whatever key is used to sign releases), as proposed by @canterberry: It just takes forever to finalize :( |
… is mentioned in README(.md) (alternative approach) Update README.md. Fixes: nodejs#32559
haqer1
changed the title
…sed to sign a release could be a sub-key of a key listed in README(.md) (which itself isn't listed in it) Update README.md. Fixes: nodejs#32559
|
I've installed a lot of software & until this nodejs installation i've never seen a sub-key of a key listed on the software provider's site (which itself isn't listed) having been used to sign a release: IMHO, this is confusing & leads to waste of time. Therefore,
|
…d to import a key used to sign a release & check whether it is a sub-key of a primary key listed in README(.md) (which itself isn't listed in it)... Addition README.md update Fixes: nodejs#32559
…d to import a key used to sign a release & check whether it is a sub-key of a primary key listed in README(.md) (which itself isn't listed in it)... Additional README.md update Fixes: nodejs#32559
…d to import the full set of trusted release keys (rather than an individual key) Additional README.md update Fixes: nodejs#32559
haqer1
changed the title
PR-URL: nodejs#32591 Fixes: nodejs#32559 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
…d to import the full set of trusted release keys (rather than an individual key) (reconciled with another suggestion from code review) The OP finds his original suggestion more descriptive & more user-friendly, but prefers to move on since that suggestion is stalled in favor of much shorter verbiage Co-Authored-By: Myles Borins <mylesborins@google.com> Fixes: nodejs#32559
…d to import the full set of trusted release keys (rather than an individual key) (reconciled with another suggestion from code review) The OP finds his original suggestion more descriptive & more user-friendly, but prefers to move on since that suggestion is stalled in favor of much shorter verbiage. This version also splits the line at 80 characters to comply with lint-md. Co-Authored-By: Myles Borins <mylesborins@google.com> Fixes: nodejs#32559
What steps will reproduce the bug?
gpg --verify SHASUMS256.txt.sig
What is the expected behavior?
Key used should be mentioned on README(.md).
What do you see instead?
gpg --verify SHASUMS256.txt.sig
gpg: assuming signed data in 'SHASUMS256.txt'
gpg: Signature made ...
gpg: using RSA key 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
I.e., key is not mentioned on README.
The text was updated successfully, but these errors were encountered: