View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022269 | mantisbt | security | public | 2017-01-27 12:34 | 2020-05-18 16:04 |
Reporter | cm_bt | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Summary | 0022269: Public key for verification should be available | ||||
Description | After downloading the software package for Mantis, you should be able to verify the signature. The signature can be downloaded too (for example mantisbt-1.3.5.tar.gz.asc). But to verify it, you need to know the public key. The key ID is 0A45E2D6. The key should be uploaded to key-servers and it should be somewhere on mantisbt.org. The keys fingerprint should also be publicly available. In the documentation there should be some short information how to test the signature, for example here: https://www.mantisbt.org/docs/master-1.3.x/en-US/Admin_Guide/html-single/#admin.about.download | ||||
Tags | No tags attached. | ||||
@vboctor you're the only one who can address this. |
|
Are there any news about this issue? Thanks. |
|
Here is the public key that I use to sign releases. @dregad has validated that he can verify releases using this public key. |
|
Thank you @vboctor. Will you upload it to some key server? If so, it would be cool if you indicated which one in the downloads area. That way, it would be easier for everyone to verify the downloads. |
|
To my knowledge, all the keys used to sign our releases are already available on the SKS pool's keyservers and possibly elsewhere too, see for example keys.gnupg.net for the one @vboctor referenced in 0022269:0063909. That being said, I'm currently working on a KEYS file, listing all the PGP keys ever used for Mantis releases, following the same approach used by the Apache foundation. The file will be bundled within the MantisBT repository (so you will be able to download it from Github), and it will be referenced on our download page as well. |
|
See the following PR
|
|
Perfect. Thank you @dregad ! |
|
MantisBT: master ab440b19 2020-04-25 08:55 Details Diff |
Add KEYS.md: PGP public keys used to sign releases The files contains basic instructions and lists the PGP public keys of MantisBT Developers, which were used to sign official release packages and the corresponding tags in the Git repository. Issue 0022269 |
Affected Issues 0022269 |
|
add - KEYS.md | Diff File | ||
MantisBT: master 2b13777c 2020-04-25 09:30 Details Diff |
KEYS.md: add former developers' PGP keys Added the public keys used by former developers jreese and dhx to sign release tags, as well as an old key of vboctor. Issue 0022269 For future reference, here are the steps and commands used to automate the process of identifying the missing keys and adding them, as I really didn't want to manually check all 182 tags in he repository. 1. Find all annotated tags ``` git for-each-ref --format="%(objecttype) %(refname:short)" refs/tags | grep ^tag |cut -d" " -f2| sort -V >/tmp/annotated-tags ``` 2. Get all signed tags (removing annotated tags without signature), with GPG verification data on a single line ``` cat /tmp/annotated-tags | xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' | grep -v "error: no signature found" >/tmp/signed-tags-data ``` 3. Identify the missing keys from the tags for which the signature could not be checked (i.e. excluding those for which we already have a public key). The command prints the number of identified keys. ``` cat /tmp/signed-tags-data | sed -rn "/gpg: Can't check signature/s/^.*using \w+ key (\w+).*$/\1/p" | sort -u |tee /tmp/missing-keys |wc -l ``` 4. Retrieve the missing keys from keyserver. The command should import the same number of keys as identified at step 3. ``` cat /tmp/missing-keys |cut -d" " -f1 |xargs gpg --receive-keys ``` 5. Review, sign and trust the newly added keys. ``` cat /tmp/missing-keys |cut -d" " -f1 |xargs -n1 gpg --sign-key ``` 6. Verify that we have successfully added all the necessary keys: the following command should return an empty list. ``` cat /tmp/signed-tags-data |cut -d" " -f1 | xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' | grep -v "Good signature" ``` |
Affected Issues 0022269 |
|
mod - KEYS.md | Diff File | ||
Website: master bd0b2635 2020-04-25 15:17 Details Diff |
Reference KEYS file on Downloads page Fixes 0022269 |
Affected Issues 0022269 |
|
mod - download.php | Diff File |