You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Mark Phippard <ma...@gmail.com> on 2022/04/10 16:30:49 UTC
Question on release announcement mail
Looking at past release announcements, they include a section on who
signed the release that looks like this:
Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
I am kind of at a loss for how to produce this information. Assuming
those three used the same keys as in the past, I would need to know
what this should like for:
me
Nathan
Julian
... and possibly Daniel Sahlberg if he sends in a signature. Our KEYS
file only includes the fingerprint.
I have tried a few commands that sort of give me this info but the
output is so different I am not sure if I would reproduce it
correctly.
Thanks
Mark
Re: Question on release announcement mail
Posted by Julian Foad <ju...@apache.org>.
Mark Phippard wrote:
>Looking at past release announcements, they include a section on who
>signed the release that looks like this: [...]
>I am kind of at a loss for how to produce this information. [...]
There's a 'release.py' subcommand that writes this email for you, if I recall correctly.
- Julian
Re: Question on release announcement mail
Posted by Daniel Sahlberg <da...@gmail.com>.
Den sön 10 apr. 2022 kl 18:31 skrev Mark Phippard <ma...@gmail.com>:
> Looking at past release announcements, they include a section on who
> signed the release that looks like this:
>
> Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
> 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
> Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
> BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
> Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
> 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
>
> I am kind of at a loss for how to produce this information. Assuming
> those three used the same keys as in the past, I would need to know
> what this should like for:
>
> me
> Nathan
> Julian
>
> ... and possibly Daniel Sahlberg if he sends in a signature. Our KEYS
> file only includes the fingerprint.
>
Sorry, but I don't expect that I will be able to sign. I'm having trouble
setting up my Win build, nothing related to the relase but rather my env,
and I've had very limited time to put into this. I'll continue the effort
and hope I'll be able to sign in the future.
/Daniel
Re: Question on release announcement mail
Posted by Branko Čibej <br...@apache.org>.
On 10.04.2022 22:38, Mark Phippard wrote:
> On Sun, Apr 10, 2022 at 4:37 PM Branko Čibej <br...@apache.org> wrote:
>> On 10.04.2022 22:26, Branko Čibej wrote:
>>> On 10.04.2022 22:02, Mark Phippard wrote:
>>>> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf
>>>> <d....@daniel.shahaf.name> wrote:
>>>>> Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
>>>>>> So I was wondering how, using the gpg command. I can get the other
>>>>>> elements we include .. such as: Stefan Sperling
>>>>>> [2048R/4F7DBAA99A59B973]
>>>>> They're generated by release.py:get_siginfo() which is called by
>>>>> write_announcement(), so, «release.py write-announcement» is the right
>>>>> answer. (I just grepped for "with fingerprint:".)
>>>>>
>>>>>> A problem I am having is with my key. I have to run the
>>>>>> write-announcement in my Docker image but that has an old version of
>>>>>> GPG that does not know what to do with my key.
>>>>> Install gpg from backports, or run write-announcement elsewhere?
>>>>> I don't see why you couldn't run it anywhere you have a wc of
>>>>> /dist/release.
>>>> Even on a system with a GnuPG that understands my key the Python
>>>> script does not:
>>>>
>>>> Traceback (most recent call last):
>>>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>>>> line 1917, in <module>
>>>> main()
>>>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>>>> line 1913, in main
>>>> args.func(args)
>>>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>>>> line 1272, in write_announcement
>>>> siginfo = get_siginfo(args, True)
>>>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>>>> line 1421, in get_siginfo
>>>> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
>>>> KeyError: 22
>>>
>>> I haven't found a version of Python gnupg that knows what to do with
>>> your EDDSA key, whereas 'gpg --verify' works fine.
>> Actually it's not the gnupg module but our release.py script that does
>> the formatting, and it only supports RSA keys. Interestingly enough,
>> EDDSA (that you use) doesn't seem to be registered at IANA.
>>
>> Try release.py from trunk r1899717, I added a quick hack to format your key.
> Thanks, I saw the commit. It works for me now:
>
> Mark Phippard [255EDD/C4416167349A3BCB] with fingerprint:
> EC25 FCC1 0561 8D04 ADB4 3429 C441 6167 349A 3BCB
We should consider fixing our formatter to generate key names the same
way that GnuPG does, I guess, but for now ... good enough.
Re: Question on release announcement mail
Posted by Mark Phippard <ma...@gmail.com>.
On Sun, Apr 10, 2022 at 4:37 PM Branko Čibej <br...@apache.org> wrote:
>
> On 10.04.2022 22:26, Branko Čibej wrote:
> > On 10.04.2022 22:02, Mark Phippard wrote:
> >> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf
> >> <d....@daniel.shahaf.name> wrote:
> >>> Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
> >>>> So I was wondering how, using the gpg command. I can get the other
> >>>> elements we include .. such as: Stefan Sperling
> >>>> [2048R/4F7DBAA99A59B973]
> >>> They're generated by release.py:get_siginfo() which is called by
> >>> write_announcement(), so, «release.py write-announcement» is the right
> >>> answer. (I just grepped for "with fingerprint:".)
> >>>
> >>>> A problem I am having is with my key. I have to run the
> >>>> write-announcement in my Docker image but that has an old version of
> >>>> GPG that does not know what to do with my key.
> >>> Install gpg from backports, or run write-announcement elsewhere?
> >>> I don't see why you couldn't run it anywhere you have a wc of
> >>> /dist/release.
> >> Even on a system with a GnuPG that understands my key the Python
> >> script does not:
> >>
> >> Traceback (most recent call last):
> >> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> >> line 1917, in <module>
> >> main()
> >> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> >> line 1913, in main
> >> args.func(args)
> >> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> >> line 1272, in write_announcement
> >> siginfo = get_siginfo(args, True)
> >> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> >> line 1421, in get_siginfo
> >> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
> >> KeyError: 22
> >
> >
> > I haven't found a version of Python gnupg that knows what to do with
> > your EDDSA key, whereas 'gpg --verify' works fine.
>
> Actually it's not the gnupg module but our release.py script that does
> the formatting, and it only supports RSA keys. Interestingly enough,
> EDDSA (that you use) doesn't seem to be registered at IANA.
>
> Try release.py from trunk r1899717, I added a quick hack to format your key.
Thanks, I saw the commit. It works for me now:
Mark Phippard [255EDD/C4416167349A3BCB] with fingerprint:
EC25 FCC1 0561 8D04 ADB4 3429 C441 6167 349A 3BCB
Mark
Re: Question on release announcement mail
Posted by Branko Čibej <br...@apache.org>.
On 10.04.2022 22:26, Branko Čibej wrote:
> On 10.04.2022 22:02, Mark Phippard wrote:
>> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf
>> <d....@daniel.shahaf.name> wrote:
>>> Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
>>>> So I was wondering how, using the gpg command. I can get the other
>>>> elements we include .. such as: Stefan Sperling
>>>> [2048R/4F7DBAA99A59B973]
>>> They're generated by release.py:get_siginfo() which is called by
>>> write_announcement(), so, «release.py write-announcement» is the right
>>> answer. (I just grepped for "with fingerprint:".)
>>>
>>>> A problem I am having is with my key. I have to run the
>>>> write-announcement in my Docker image but that has an old version of
>>>> GPG that does not know what to do with my key.
>>> Install gpg from backports, or run write-announcement elsewhere?
>>> I don't see why you couldn't run it anywhere you have a wc of
>>> /dist/release.
>> Even on a system with a GnuPG that understands my key the Python
>> script does not:
>>
>> Traceback (most recent call last):
>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>> line 1917, in <module>
>> main()
>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>> line 1913, in main
>> args.func(args)
>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>> line 1272, in write_announcement
>> siginfo = get_siginfo(args, True)
>> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
>> line 1421, in get_siginfo
>> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
>> KeyError: 22
>
>
> I haven't found a version of Python gnupg that knows what to do with
> your EDDSA key, whereas 'gpg --verify' works fine.
Actually it's not the gnupg module but our release.py script that does
the formatting, and it only supports RSA keys. Interestingly enough,
EDDSA (that you use) doesn't seem to be registered at IANA.
Try release.py from trunk r1899717, I added a quick hack to format your key.
-- Brane
Re: Question on release announcement mail
Posted by Branko Čibej <br...@apache.org>.
On 10.04.2022 22:02, Mark Phippard wrote:
> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
>>> So I was wondering how, using the gpg command. I can get the other
>>> elements we include .. such as: Stefan Sperling
>>> [2048R/4F7DBAA99A59B973]
>> They're generated by release.py:get_siginfo() which is called by
>> write_announcement(), so, «release.py write-announcement» is the right
>> answer. (I just grepped for "with fingerprint:".)
>>
>>> A problem I am having is with my key. I have to run the
>>> write-announcement in my Docker image but that has an old version of
>>> GPG that does not know what to do with my key.
>> Install gpg from backports, or run write-announcement elsewhere?
>> I don't see why you couldn't run it anywhere you have a wc of
>> /dist/release.
> Even on a system with a GnuPG that understands my key the Python
> script does not:
>
> Traceback (most recent call last):
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1917, in <module>
> main()
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1913, in main
> args.func(args)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1272, in write_announcement
> siginfo = get_siginfo(args, True)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1421, in get_siginfo
> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
> KeyError: 22
I haven't found a version of Python gnupg that knows what to do with
your EDDSA key, whereas 'gpg --verify' works fine.
-- Brane
Re: Question on release announcement mail
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Mark Phippard wrote on Sun, Apr 10, 2022 at 16:02:07 -0400:
> On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> >
> > Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
> > > So I was wondering how, using the gpg command. I can get the other
> > > elements we include .. such as: Stefan Sperling
> > > [2048R/4F7DBAA99A59B973]
> >
> > They're generated by release.py:get_siginfo() which is called by
> > write_announcement(), so, «release.py write-announcement» is the right
> > answer. (I just grepped for "with fingerprint:".)
> >
> > > A problem I am having is with my key. I have to run the
> > > write-announcement in my Docker image but that has an old version of
> > > GPG that does not know what to do with my key.
> >
> > Install gpg from backports, or run write-announcement elsewhere?
> > I don't see why you couldn't run it anywhere you have a wc of
> > /dist/release.
>
> Even on a system with a GnuPG that understands my key the Python
> script does not:
>
> Traceback (most recent call last):
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1917, in <module>
> main()
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1913, in main
> args.func(args)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1272, in write_announcement
> siginfo = get_siginfo(args, True)
> File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
> line 1421, in get_siginfo
> formatter = PUBLIC_KEY_ALGORITHMS[keytype]
> KeyError: 22
>
>
> So I was going to remove my key from the signature file, run the
> script to get the email announcement, and then put my key back. But
> then I was looking for how I could manually construct what my entry
> should look like in the email.
>
Perhaps something like this:
Index: release.py
===================================================================
--- release.py (revision 1899017)
+++ release.py (working copy)
@@ -1417,7 +1402,7 @@ def get_siginfo(args, quiet=False):
if parts[0] == 'pub':
keylen = int(parts[2])
keytype = int(parts[3])
- formatter = PUBLIC_KEY_ALGORITHMS[keytype]
+ formatter = PUBLIC_KEY_ALGORITHMS.get(keytype, lambda keylen: "?<keytype={}, keylen={}>".format(keytype, keylen))
long_key_id = parts[4]
length_and_type = formatter(keylen) + '/' + long_key_id
del keylen, keytype, formatter, long_key_id
Or this:
Index: release.py
===================================================================
--- release.py (revision 1899017)
+++ release.py (working copy)
@@ -1326,6 +1311,7 @@ PUBLIC_KEY_ALGORITHMS = {
# The values are callables that produce gpg1-like key length and type
# indications, e.g., "4096R" for a 4096-bit RSA key.
1: (lambda keylen: str(keylen) + 'R'), # RSA
+ 22: (lambda keylen: "ed25519"), # according to gpg2; this value is not in the IANA registry above
}
def _make_human_readable_fingerprint(fingerprint):
> I could just leave my signature out of the release too so as not to
> have downstream users need to deal with this problem.
Please don't. Anyone with an OpenPGP implementation who doesn't know
what public key algorithm 22 is should be able to ignore your signature
and only verify the others.
I suppose you could move your own signature to be last in the files, but
even for this you might want to wait until someone actually complains
about the files failing to verify.
Re: Question on release announcement mail
Posted by Mark Phippard <ma...@gmail.com>.
On Sun, Apr 10, 2022 at 3:27 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>
> Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
> > So I was wondering how, using the gpg command. I can get the other
> > elements we include .. such as: Stefan Sperling
> > [2048R/4F7DBAA99A59B973]
>
> They're generated by release.py:get_siginfo() which is called by
> write_announcement(), so, «release.py write-announcement» is the right
> answer. (I just grepped for "with fingerprint:".)
>
> > A problem I am having is with my key. I have to run the
> > write-announcement in my Docker image but that has an old version of
> > GPG that does not know what to do with my key.
>
> Install gpg from backports, or run write-announcement elsewhere?
> I don't see why you couldn't run it anywhere you have a wc of
> /dist/release.
Even on a system with a GnuPG that understands my key the Python
script does not:
Traceback (most recent call last):
File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
line 1917, in <module>
main()
File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
line 1913, in main
args.func(args)
File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
line 1272, in write_announcement
siginfo = get_siginfo(args, True)
File "/Users/markphip/projects/svn-trunk/tools/dist/release.py",
line 1421, in get_siginfo
formatter = PUBLIC_KEY_ALGORITHMS[keytype]
KeyError: 22
So I was going to remove my key from the signature file, run the
script to get the email announcement, and then put my key back. But
then I was looking for how I could manually construct what my entry
should look like in the email.
I could just leave my signature out of the release too so as not to
have downstream users need to deal with this problem.
Mark
Re: Question on release announcement mail
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Mark Phippard wrote on Sun, Apr 10, 2022 at 15:16:58 -0400:
> So I was wondering how, using the gpg command. I can get the other
> elements we include .. such as: Stefan Sperling
> [2048R/4F7DBAA99A59B973]
They're generated by release.py:get_siginfo() which is called by
write_announcement(), so, «release.py write-announcement» is the right
answer. (I just grepped for "with fingerprint:".)
> A problem I am having is with my key. I have to run the
> write-announcement in my Docker image but that has an old version of
> GPG that does not know what to do with my key.
Install gpg from backports, or run write-announcement elsewhere?
I don't see why you couldn't run it anywhere you have a wc of
/dist/release.
Re: Question on release announcement mail
Posted by Mark Phippard <ma...@gmail.com>.
On Sun, Apr 10, 2022 at 2:22 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>
> Mark Phippard wrote on Sun, 10 Apr 2022 16:30 +00:00:
> > Looking at past release announcements, they include a section on who
> > signed the release that looks like this:
> >
> > Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
> > 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
> > Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
> > BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
> > Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
> > 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
> >
> > I am kind of at a loss for how to produce this information. Assuming
> > those three used the same keys as in the past, I would need to know
> > what this should like for:
> >
> > me
> > Nathan
> > Julian
> >
> > ... and possibly Daniel Sahlberg if he sends in a signature. Our KEYS
> > file only includes the fingerprint.
>
> Our KEYS file includes the actual keys: it can be piped to
> «GNUPGHOME=$(mktemp -d) gpg --import» in order to verify signatures made
> by those keys. It's the release announcement that includes just the
> fingerprints.
Sorry my message was not clear. Julian's answer was more what I was
asking. All I meant by the reference to the KEYS file is that the data
it contains, as compared to what we inlcude in our email, only
includes the key fingerprint. So I was wondering how, using the gpg
command. I can get the other elements we include .. such as: Stefan
Sperling [2048R/4F7DBAA99A59B973]
A problem I am having is with my key. I have to run the
write-announcement in my Docker image but that has an old version of
GPG that does not know what to do with my key.
Mark
Re: Question on release announcement mail
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Mark Phippard wrote on Sun, 10 Apr 2022 16:30 +00:00:
> Looking at past release announcements, they include a section on who
> signed the release that looks like this:
>
> Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
> 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973
> Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
> BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
> Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
> 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
>
> I am kind of at a loss for how to produce this information. Assuming
> those three used the same keys as in the past, I would need to know
> what this should like for:
>
> me
> Nathan
> Julian
>
> ... and possibly Daniel Sahlberg if he sends in a signature. Our KEYS
> file only includes the fingerprint.
Our KEYS file includes the actual keys: it can be piped to
«GNUPGHOME=$(mktemp -d) gpg --import» in order to verify signatures made
by those keys. It's the release announcement that includes just the
fingerprints.
Daniel
> I have tried a few commands that sort of give me this info but the
> output is so different I am not sure if I would reproduce it
> correctly.
>
> Thanks
>
> Mark