Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: validate gpg releasers signatures #760

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Feat: validate gpg releasers signatures #760

wants to merge 3 commits into from

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Dec 4, 2023
edited
Loading

Notes

This is currently under a draft version. They main objetive is to collect early feedback before creating the final PR (proper linting, tests, etc...)

This is my first time doing changes on NCU so I might be using wrongly the API or breaking any expected convention, please let me know 👍

What is this feature about?

While working on nodejs/Release#966, @RafaelGSS suggested to extend the NCU to review the signatures.

This PR introduce a new command ncu-team check-gpg. This command will check the current releasers team members and the available information in the README.md and make some checks on the status of the individuals keys and if the keys/releasers are properly listed on the README.md

Currently checks included

  • If the Releaser is not included in the README.md
  • If the Releaser key listed in the README is not included in their profile
  • The Release key status:
    • Was revoked?
    • Has expiration date?
    • Is the email different from the README.md?
    • Can sign commits?

Potential additional checks

  • Is the key expired?
  • Is the key is available in hkps://keys.openpgp.org as expected?

Current output
Screenshot 2023-12-04 at 17 44 03

RafaelGSS
RafaelGSS reviewed Dec 4, 2023
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we run it through a workflow monthly to guarantee we are pinging the ones without a proper signature?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RafaelGSS RafaelGSS RafaelGSS left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@UlisesGascon @RafaelGSS