meta: Release tags show as "Unverified" #76228
Comments
rustbot
added
A-meta
|
I don't think so, because the release key is not associated with any particular GitHub user. I suppose @pietroalbini and I could upload it to our accounts, but that seems like a bad idea (it's not our key after all). Realistically GitHub not having the public key doesn't really matter, the signing is targeted more towards local checking for very dedicated people. |
|
Hmm, I wonder what other large projects do. |
|
It looks like with Python the person releasing signs it with their personal key. Same with Node. Though I like Rust's model of signing it with the project's key. Is the release key the same as the key listed on the security policy page? |
|
No, it's a different key. I don't know that we publish it ourselves anywhere, but it is on the OpenPGP key server, for example: https://keys.openpgp.org/search?q=108F66205EAEB0AAA8DD5E1C85AB96E6FA1BE5FE We should probably publish the fingerprint somewhere at least. |
|
Yeah, maybe on the website at the bottom of the page? I wonder why there isn't a way to associate a PGP key with an organization on GitHub... |
We could associate it to @rust-lang-owner, even though we'll also need to add rust-key@ as one of its verified email addresses. |
|
The key is available at https://static.rust-lang.org/rust-key.gpg.ascii btw. |
jyn514
added
T-infra
|
FWIW git and gpg will always claim the key as unverified until you fetch it locally |
|
Since rustbot is now the one releasing, would it make sense to upload the release key fingerprint to rustbot's account? |
See for example the tag for 1.46.0:
Is there any way to remedy that? Likewise, the Git CLI shows:
@rustbot modify labels: A-meta T-release C-bug
The text was updated successfully, but these errors were encountered: