expired key in junio-gpg-pub

expired key in junio-gpg-pub

[Jeff King]

It looks like your signing key is expired, and tag verification fails:

  $ mkdir /tmp/foo
  $ export GNUPGHOME=/tmp/foo
  $ git cat-file blob junio-gpg-pub | gpg --import
  gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
  gpg: keybox '/tmp/foo/pubring.kbx' created
  gpg: key 20D04E5A713660A7: 27 signatures not checked due to missing keys
  gpg: /tmp/foo/trustdb.gpg: trustdb created
  gpg: key 20D04E5A713660A7: public key "Junio C Hamano <gitster@pobox.com>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1
  gpg: no ultimately trusted keys found

  $ git tag -v v2.33.0
  object 225bc32a989d7a22fa6addafd4ce7dcd04675dbf
  type commit
  tag v2.33.0
  tagger Junio C Hamano <gitster@pobox.com> 1629141357 -0700

  Git 2.33
  gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
  gpg: Signature made Mon Aug 16 15:15:57 2021 EDT
  gpg:                using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
  gpg: Good signature from "Junio C Hamano <gitster@pobox.com>" [unknown]
  gpg:                 aka "Junio C Hamano <junio@pobox.com>" [unknown]
  gpg:                 aka "Junio C Hamano <jch@google.com>" [unknown]
  gpg: Note: This key has expired!
  Primary key fingerprint: 96E0 7AF2 5771 9559 80DA  D100 20D0 4E5A 7136 60A7
       Subkey fingerprint: E1F0 36B1 FEE7 221F C778  ECEF B0B5 E886 96AF E6CB

  $ echo $?
  1

Have you extended the expiration on it? I wasn't able to find any
updates on the keyservers I checked. But regardless, we should probably
ship an updated one via the tag.

-Peff

Re: expired key in junio-gpg-pub

[Konstantin Ryabitsev]

On Tue, Sep 07, 2021 at 02:12:53PM -0400, Jeff King wrote:
> Have you extended the expiration on it? I wasn't able to find any
> updates on the keyservers I checked. But regardless, we should probably
> ship an updated one via the tag.

You can get it from here:
https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/20D04E5A713660A7.asc

-K

Re: expired key in junio-gpg-pub

[Jeff King]

On Tue, Sep 07, 2021 at 02:20:42PM -0400, Konstantin Ryabitsev wrote:

> On Tue, Sep 07, 2021 at 02:12:53PM -0400, Jeff King wrote:
> > Have you extended the expiration on it? I wasn't able to find any
> > updates on the keyservers I checked. But regardless, we should probably
> > ship an updated one via the tag.
> 
> You can get it from here:
> https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/20D04E5A713660A7.asc

Thanks! That fixes my problem. I do think we should update the in-repo
tag. :)

-Peff

Re: expired key in junio-gpg-pub

[Ævar Arnfjörð Bjarmason]

On Tue, Sep 07 2021, Jeff King wrote:

> On Tue, Sep 07, 2021 at 02:20:42PM -0400, Konstantin Ryabitsev wrote:
>
>> On Tue, Sep 07, 2021 at 02:12:53PM -0400, Jeff King wrote:
>> > Have you extended the expiration on it? I wasn't able to find any
>> > updates on the keyservers I checked. But regardless, we should probably
>> > ship an updated one via the tag.
>> 
>> You can get it from here:
>> https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/20D04E5A713660A7.asc
>
> Thanks! That fixes my problem. I do think we should update the in-repo
> tag. :)

Note though that when the in-repo tag is updated anyone fetching it will
need to update with --force, and anyone doing fetches of git.git will
see a non-zero exit code on their pulls and fetches without that.

This is due to my 0bc8d71b99e (fetch: stop clobbering existing tags
without --force, 2018-08-31). That change was meant to error on pretty
much this exact scenario...

But to be more gentle does anything rely on that specific name, or would
it perhaps be better to push a new junio-gpg-pub-2021?

Re: expired key in junio-gpg-pub

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> It looks like your signing key is expired, and tag verification fails:
>
>   $ mkdir /tmp/foo
>   $ export GNUPGHOME=/tmp/foo
>   $ git cat-file blob junio-gpg-pub | gpg --import
>   gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
>   gpg: keybox '/tmp/foo/pubring.kbx' created
>   gpg: key 20D04E5A713660A7: 27 signatures not checked due to missing keys
>   gpg: /tmp/foo/trustdb.gpg: trustdb created
>   gpg: key 20D04E5A713660A7: public key "Junio C Hamano <gitster@pobox.com>" imported
>   gpg: Total number processed: 1
>   gpg:               imported: 1
>   gpg: no ultimately trusted keys found
>
>   $ git tag -v v2.33.0
>   object 225bc32a989d7a22fa6addafd4ce7dcd04675dbf
>   type commit
>   tag v2.33.0
>   tagger Junio C Hamano <gitster@pobox.com> 1629141357 -0700
>
>   Git 2.33
>   gpg: WARNING: unsafe permissions on homedir '/tmp/foo'
>   gpg: Signature made Mon Aug 16 15:15:57 2021 EDT
>   gpg:                using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
>   gpg: Good signature from "Junio C Hamano <gitster@pobox.com>" [unknown]
>   gpg:                 aka "Junio C Hamano <junio@pobox.com>" [unknown]
>   gpg:                 aka "Junio C Hamano <jch@google.com>" [unknown]
>   gpg: Note: This key has expired!
>   Primary key fingerprint: 96E0 7AF2 5771 9559 80DA  D100 20D0 4E5A 7136 60A7
>        Subkey fingerprint: E1F0 36B1 FEE7 221F C778  ECEF B0B5 E886 96AF E6CB
>
>   $ echo $?
>   1
>
> Have you extended the expiration on it? I wasn't able to find any
> updates on the keyservers I checked. But regardless, we should probably
> ship an updated one via the tag.

I am reasonably sure that I've done update with pgp.mit.edu when I
refreshed the expiration last time, but apparently I didn't update
the in-tree copy.  I doubt that it is a good practice to ship the
public key used to sign things in the repository in the repository
itself, but if are not dropping the tag, I agree I should keep it up
to date.

Thanks.

Re: expired key in junio-gpg-pub

[Jeff King]

On Tue, Sep 07, 2021 at 12:49:00PM -0700, Junio C Hamano wrote:

> > Have you extended the expiration on it? I wasn't able to find any
> > updates on the keyservers I checked. But regardless, we should probably
> > ship an updated one via the tag.
> 
> I am reasonably sure that I've done update with pgp.mit.edu when I
> refreshed the expiration last time, but apparently I didn't update
> the in-tree copy.  I doubt that it is a good practice to ship the
> public key used to sign things in the repository in the repository
> itself, but if are not dropping the tag, I agree I should keep it up
> to date.

Yeah, I agree that the is potentially problematic: it's a circular
dependency, plus updating tags is awkward, per Ævar's other message.

Perhaps we should replace it with instructions on getting the key?

I tried a blind "gpg --recv-keys" and came up with an old version ("not
changed" according to GPG). That hits keys.openpgp.org by default. A lot
of the keyservers used to peer with each other, but I've heard that
there's less of that these days due to key-spamming attacks (but it's
not really something I keep up with).

I admit that I never actually verify git.git's tags anyway (why would I?
I'm fetching unsigned branch tips from your repo constantly anyway). I
only noticed because I was looking fora bug in "git tag -verify
--format". :)

-Peff

Re: expired key in junio-gpg-pub

[Konstantin Ryabitsev]

On Tue, Sep 07, 2021 at 04:30:53PM -0400, Jeff King wrote:
> > I am reasonably sure that I've done update with pgp.mit.edu when I
> > refreshed the expiration last time, but apparently I didn't update
> > the in-tree copy.  I doubt that it is a good practice to ship the
> > public key used to sign things in the repository in the repository
> > itself, but if are not dropping the tag, I agree I should keep it up
> > to date.
> 
> Yeah, I agree that the is potentially problematic: it's a circular
> dependency, plus updating tags is awkward, per Ævar's other message.

It's not really as circular as it would appear at the outset -- at least not
any more circular than any other situation, in reality. E.g. my favourite
example:

1. you should verify the checksum of your distro's ISO before installing it
2. the checksum is available over a trusted https:// connection
3. the trust anchors for that https verification come with the browser package
4. which was installed from the ISO you downloaded the last time
5. goto 1

Bootstrapping trust is a hard problem and no matter how you look at it, at
some point you have to just close your eyes and hope that the adversary isn't
one step ahead of you.

So, I'd say putting the key into the git repository itself is fine. After all,
it gets imported into the local PGP keyring on someone's workstation, where it
gets a separate life of its own.

-K