|
Changeset |
KEYS.md: add former developers' PGP keys
Added the public keys used by former developers jreese and dhx to sign
release tags, as well as an old key of vboctor.
Issue 0022269
For future reference, here are the steps and commands used to automate
the process of identifying the missing keys and adding them, as I really
didn't want to manually check all 182 tags in he repository.
- Find all annotated tags
git for-each-ref --format="%(objecttype) %(refname:short)" refs/tags |
grep ^tag |cut -d" " -f2| sort -V >/tmp/annotated-tags
- Get all signed tags (removing annotated tags without signature), with
GPG verification data on a single line
cat /tmp/annotated-tags |
xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' |
grep -v "error: no signature found" >/tmp/signed-tags-data
- Identify the missing keys from the tags for which the signature could
not be checked (i.e. excluding those for which we already have a
public key). The command prints the number of identified keys.
cat /tmp/signed-tags-data |
sed -rn "/gpg: Can't check signature/s/^.*using \w+ key (\w+).*$/\1/p" |
sort -u |tee /tmp/missing-keys |wc -l
- Retrieve the missing keys from keyserver. The command should import
the same number of keys as identified at step 3.
cat /tmp/missing-keys |cut -d" " -f1 |xargs gpg --receive-keys
- Review, sign and trust the newly added keys.
cat /tmp/missing-keys |cut -d" " -f1 |xargs -n1 gpg --sign-key
- Verify that we have successfully added all the necessary keys: the
following command should return an empty list.
cat /tmp/signed-tags-data |cut -d" " -f1 |
xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' |
grep -v "Good signature"
|
