Skip to content
This repository has been archived by the owner on Sep 13, 2022. It is now read-only.

Signing keys #14

Open
yurishkuro opened this issue Apr 18, 2018 · 3 comments
Open

Signing keys #14

yurishkuro opened this issue Apr 18, 2018 · 3 comments

Comments

@yurishkuro
Copy link
Member

The travis file contains this line:

./travis/prepare-signing.sh $encrypted_677f232983c0_key $encrypted_677f232983c0_iv

I believe in the original repo these variables were defined in Travis itself, rather than being provided via encrypted vars in .travis.yaml (added in jaegertracing/jaeger-client-java#201).

@jpkrohling do you remember what was the source of the values? Did you encode your own keys?

This repo doesn't have these variables anywhere so the automated publishing from tag fails.
@jpkrohling
Copy link
Collaborator

encrypted_677f232983c0_key comes automatically from Travis. The prepare-signing.sh script, however, takes the key/value as input to decrypt the signing key, used to sign the final artifacts that are uploaded to Nexus (Maven Central).

I expect the encrypted_677f232983c0_key to be repository-dependent, so, the plain text signing-key needs to be encrypted with something like travis encrypt-file signing-key.asc.

It's strange that the repo doesn't have these env vars, but could it be that this repo has no encrypted vars yet? Perhaps this is created on-demand by Travis?

@yurishkuro
Copy link
Member Author

encrypted_677f232983c0_key comes from Travis, but someone did add it there

image

I can do the same, but my question was whether we want to use some personal signing-key.asc or did we use a shared one?

@jpkrohling
Copy link
Collaborator

jpkrohling commented Apr 19, 2018
edited
Loading

but someone did add it there

Someone, or something? I think travis encrypt does that on the first run.

my question was whether we want to use some personal signing-key.asc or did we use a shared one?

Looks like we are currently using a personal one:

$ gpg --verify jaeger-core-0.27.0.jar.asc jaeger-core-0.27.0.jar
gpg: Signature made Wed 18 Apr 2018 12:45:06 PM CEST using RSA key ID 9A2E1C5E
gpg: Good signature from "Juraci Paixão Kröhling <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D10 9718 459E C01B 3C13  5D67 8ECC 15DC 9A2E 1C5E

Same for 0.27.0-RC1:

$ gpg --verify jaeger-core-0.27.0-RC1.jar.asc jaeger-core-0.27.0-RC1.jar
gpg: Signature made Wed 11 Apr 2018 03:44:24 PM CEST using RSA key ID 4F9D21F5
gpg: Can't check signature: public key not found
$ gpg --recv-keys 4F9D21F5
gpg: requesting key 4F9D21F5 from hkp server keys.gnupg.net
gpg: key 4F9D21F5: public key "Pavol Loffay <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

That said, it might be worth considering using a single, trusted key. Something like: [email protected].

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpkrohling @yurishkuro