You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@milagro.apache.org by Brian Spector <br...@qredo.com> on 2019/07/04 13:05:05 UTC
URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your
public key
Hi All,
as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
The address of the key server is: hkps://hkps.pool.sks-keyservers.net
The folks that are CC’d on this list, if you can, at a minimum, do the following:
1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
- Brian Spector (I have two keys):
0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
- Chris Morris
740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
- Howard Kitto
8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
- Stanislav Mihaylov
EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
- Kealan McCusker
0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
- Emir Uzeirbegovic
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
- Milagro Security Advisory Public Key
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
OR, simply import the attached keys into your GPG client.
I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net
5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
Thanks
Brian
—
On 2 Jul 2019, at 13:18, Brian Spector wrote:
> Hi All,
>
> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>
> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>
> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>
> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>
> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>
> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>
> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>
> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>
> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>
> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>
> I know not every project has this rule, but we, as a security project, have higher standards.
>
> VOTE:
>
> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>
> The vote will be open for at least 72 hours.
> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> [ ] +0 No opinion
> [ ] -1 Do not Approve
>
> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>
> Thanks
> Brian
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Emir U <em...@qredo.com>.
Hey guys here are some notes and scripts to make your life easier.
Make sure you have GPG installed for your OS. Then from the command line you can run gpg --gen-key to create yourself a new key.
You can run the following script to complete the signing ceremony at least for Qredo's side after you've made your own key. Please understand what the script does before running it :-) :
#!/bin/bash
set -e
KEYSERVER="hkps.pool.sks-keyservers.net"
# QREDO team fingerprint suffixes.
KEYS="C0F10E2B
C347F69F
B1D464CA
64DF811C
219E5A39
773AC2C4
2BF1B012
EA63B72D"
# Collect the key to use for signing.
echo "Enter last 8 characters of YOUR signing key fingerprint (no spaces):"
read DEFKEY
[ -z "$DEFKEY" ] && echo "Signing key suffix cannot be empty" && exit -1
echo "Using key $DEFKEY for signing."
# Grab the latest copy of each Qredo public key
echo -e "$KEYS" | xargs -n1 gpg --keyserver "$KEYSERVER" --recv-keys
# Sign each Qredo key AND your own key; be prepared for lots of confirmation screens.
echo -e "$DEFKEY\n$KEYS" | xargs -n1 gpg --default-key "$DEFKEY" --sign-key
# Send the signed keys back to the server.
echo -e "$DEFKEY\n$KEYS" | xargs -n1 gpg --keyserver "$KEYSERVER" --send-keys
________________________________
From: Brian Spector
Sent: 04 July 2019 06:30:01
To: dev@milagro.apache.org
Cc: Go Yamamoto; samuele.andreoli@yahoo.it; Alessandro Budroni; Patrick Hilt; Giorgio Zoppi; vutransingapore@gmail.com; Howard Kitto; Howard Kitto; Emir U
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
Sorry all, correction, Emir’s key fingerprint is
6866 2F27 362D 147B AE69 9149 1760 2B24 C0F1 0E2B
On 4 Jul 2019, at 14:05, Brian Spector wrote:
> Hi All,
>
> as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
>
> Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
>
> We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
>
> The address of the key server is: hkps://hkps.pool.sks-keyservers.net
>
> The folks that are CC’d on this list, if you can, at a minimum, do the following:
>
> 1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
>
> 2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
>
> 3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
>
> - Brian Spector (I have two keys):
> 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
>
> - Chris Morris
> 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
>
> - Howard Kitto
> 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
>
> - Stanislav Mihaylov
> EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
>
> - Kealan McCusker
> 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
>
> - Emir Uzeirbegovic
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
> - Milagro Security Advisory Public Key
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
>
> OR, simply import the attached keys into your GPG client.
>
> I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
>
> 4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net
>
> 5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
>
> Thanks
> Brian
>
>
> —
>
> On 2 Jul 2019, at 13:18, Brian Spector wrote:
>
>> Hi All,
>>
>> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>>
>> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>>
>> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>>
>> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>>
>> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>>
>> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>>
>> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>>
>> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>>
>> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>>
>> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>>
>> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>>
>> I know not every project has this rule, but we, as a security project, have higher standards.
>>
>> VOTE:
>>
>> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>>
>> The vote will be open for at least 72 hours.
>> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
>> [ ] +0 No opinion
>> [ ] -1 Do not Approve
>>
>> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>>
>> Thanks
>> Brian
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Brian Spector <br...@qredo.com>.
Sorry all, correction, Emir’s key fingerprint is
6866 2F27 362D 147B AE69 9149 1760 2B24 C0F1 0E2B
On 4 Jul 2019, at 14:05, Brian Spector wrote:
> Hi All,
>
> as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
>
> Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
>
> We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
>
> The address of the key server is: hkps://hkps.pool.sks-keyservers.net
>
> The folks that are CC’d on this list, if you can, at a minimum, do the following:
>
> 1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
>
> 2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
>
> 3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
>
> - Brian Spector (I have two keys):
> 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
>
> - Chris Morris
> 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
>
> - Howard Kitto
> 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
>
> - Stanislav Mihaylov
> EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
>
> - Kealan McCusker
> 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
>
> - Emir Uzeirbegovic
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
> - Milagro Security Advisory Public Key
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
>
> OR, simply import the attached keys into your GPG client.
>
> I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
>
> 4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net
>
> 5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
>
> Thanks
> Brian
>
>
> —
>
> On 2 Jul 2019, at 13:18, Brian Spector wrote:
>
>> Hi All,
>>
>> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>>
>> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>>
>> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>>
>> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>>
>> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>>
>> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>>
>> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>>
>> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>>
>> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>>
>> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>>
>> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>>
>> I know not every project has this rule, but we, as a security project, have higher standards.
>>
>> VOTE:
>>
>> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>>
>> The vote will be open for at least 72 hours.
>> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
>> [ ] +0 No opinion
>> [ ] -1 Do not Approve
>>
>> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>>
>> Thanks
>> Brian
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Emir U <em...@qredo.com>.
Signed. Here a code snippet to help others do it quickly if you're also signing for Giorgio.
gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 4B36F6B9
gpg --default-key <your 8 character fingerprint suffix> --sign-key 4B36F6B9
gpg --keyserver hkps.pool.sks-keyservers.net --send-keys 4B36F6B9
Emir
________________________________
From: Emir U <em...@qredo.com>
Sent: 04 July 2019 16:11:04
To: dev@milagro.incubator.apache.org
Cc: dev@milagro.apache.org
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
Thx Giorgio, will sign you. Emir
On 4 Jul 2019, at 22:20, Giorgio Zoppi <gi...@gmail.com>> wrote:
Pub key finger print.
08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
---------- Forwarded message ---------
De: Giorgio Zoppi <gi...@gmail.com>>
Date: jue., 4 jul. 2019 a las 23:15
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
To: Brian Spector <br...@qredo.com>>
my public key
El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com>>) escribió:
Hi All,
as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
The address of the key server is: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
The folks that are CC’d on this list, if you can, at a minimum, do the following:
1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
- Brian Spector (I have two keys):
0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
- Chris Morris
740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
- Howard Kitto
8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
- Stanislav Mihaylov
EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
- Kealan McCusker
0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
- Emir Uzeirbegovic
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
- Milagro Security Advisory Public Key
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
OR, simply import the attached keys into your GPG client.
I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
Thanks
Brian
—
On 2 Jul 2019, at 13:18, Brian Spector wrote:
> Hi All,
>
> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>
> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>
> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>
> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>
> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>
> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org<ma...@apache.org>) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>
> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>
> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>
> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>
> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>
> I know not every project has this rule, but we, as a security project, have higher standards.
>
> VOTE:
>
> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>
> The vote will be open for at least 72 hours.
> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> [ ] +0 No opinion
> [ ] -1 Do not Approve
>
> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>
> Thanks
> Brian
--
Life is a chess game - Anonymous.
--
Life is a chess game - Anonymous.
<clavepublica.pub>
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Emir U <em...@qredo.com>.
Thx Giorgio, will sign you. Emir
On 4 Jul 2019, at 22:20, Giorgio Zoppi <gi...@gmail.com>> wrote:
Pub key finger print.
08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
---------- Forwarded message ---------
De: Giorgio Zoppi <gi...@gmail.com>>
Date: jue., 4 jul. 2019 a las 23:15
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
To: Brian Spector <br...@qredo.com>>
my public key
El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com>>) escribió:
Hi All,
as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
The address of the key server is: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
The folks that are CC’d on this list, if you can, at a minimum, do the following:
1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
- Brian Spector (I have two keys):
0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
- Chris Morris
740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
- Howard Kitto
8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
- Stanislav Mihaylov
EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
- Kealan McCusker
0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
- Emir Uzeirbegovic
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
- Milagro Security Advisory Public Key
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
OR, simply import the attached keys into your GPG client.
I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
Thanks
Brian
—
On 2 Jul 2019, at 13:18, Brian Spector wrote:
> Hi All,
>
> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>
> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>
> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>
> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>
> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>
> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org<ma...@apache.org>) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>
> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>
> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>
> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>
> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>
> I know not every project has this rule, but we, as a security project, have higher standards.
>
> VOTE:
>
> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>
> The vote will be open for at least 72 hours.
> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> [ ] +0 No opinion
> [ ] -1 Do not Approve
>
> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>
> Thanks
> Brian
--
Life is a chess game - Anonymous.
--
Life is a chess game - Anonymous.
<clavepublica.pub>
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Tran Ly Vu <vu...@gmail.com>.
Hi,
No I was not
On Wed, 24 Jul 2019 at 22:54, Brian Spector <br...@qredo.com> wrote:
> Hi Tran, sorry for the delay in responding. I think we need to nominate
> you as a contributor in order to get your apache ID setup. Were you a
> contributor to a previous project?
>
> Thanks
> Brian
>
>
> Brian Spector
> Chief Product and Strategy Officer
> Qredo Ltd
> T: +44 1394825764
> 1 Primrose Street
> London, UK EC2A 2EX
> https://qredo.com
>
> Qredo Ltd is a limited company registered in England and Wales (registered
> number 7834052). This e-mail and any attachments are confidential, and are
> intended only for the named addressee(s). If you are not the intended
> recipient you may not copy, disclose to anyone else or otherwise use the
> content of this e-mail or any attachment thereto and should notify the
> sender immediately and delete them from your system.
>
>
>
> ________________________________
> From: Tran Ly Vu <vu...@gmail.com>
> Sent: 06 July 2019 3:47 PM
> To: dev@milagro.incubator.apache.org <de...@milagro.incubator.apache.org>
> Cc: dev@milagro.apache.org <de...@milagro.apache.org>
> Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and
> distribute your public key
>
> Hi,
>
> So I could not log in to https://id.apache.org , I have an account that
> can
> access to apache Jira and Confluence but they could not be used to access
> to https://id.apache.org. Can someone advice me how I can create an
> account
> for id.apache.org?
>
> Key fingerprint:
> 1007 7EA8 CBEE 28F4 BB05 EFE4 CE8F A0C4 9557 1477
>
> Thanks
>
>
> On Fri, 5 Jul 2019 at 17:43, Brian Spector <br...@qredo.com> wrote:
>
> > Hi Giorgio, great can you please make sure you update this on your
> > id.apache.org profile please?
> >
> > Thanks
> > Brian
> >
> > On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote:
> >
> > Pub key finger print.
> > 08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
> >
> > ---------- Forwarded message ---------
> > De: Giorgio Zoppi <giorgio.zoppi@gmail.com<mailto:
> giorgio.zoppi@gmail.com
> > >>
> > Date: jue., 4 jul. 2019 a las 23:15
> > Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and
> > distribute your public key
> > To: Brian Spector <br...@qredo.com>>
> >
> >
> > my public key
> >
> > El jue., 4 jul. 2019 a las 15:05, Brian Spector (<brian@qredo.com
> <mailto:
> > brian@qredo.com>>) escribió:
> > Hi All,
> >
> > as we are preparing for a release, it’s critical that contributors
> > advertise their public keys in the appropriate places, and also circulate
> > your public key to other Milagro contributors to make it stronger in the
> > web of trust.
> >
> > Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies
> to
> > anyone else I have missed) others, the project needs to have your public
> > keys advertised, and it’s a critical part of putting your public keys in
> > the ‘keys’ file that needs to go out with every release.
> >
> > We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other
> > developers to strengthen their web of trust, and the signatures on those
> > keys have been uploaded to the SKS key server (hopefully they have
> > recovered somewhat).
> >
> > The address of the key server is: hkps://hkps.pool.sks-keyservers.net<
> > http://hkps.pool.sks-keyservers.net>
> >
> > The folks that are CC’d on this list, if you can, at a minimum, do the
> > following:
> >
> > 1. Create a GPG signing key, you should have done this for signing your
> > git commits in any case per the previously sent email containing
> > instructions on signing git commits. The email text is below my
> salutation
> > for your reference.
> >
> > 2. Using that signing key, take it’s public key fingerprint
> > https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and
> > update your https://id.apache.org profile to include your public key.
> >
> > 3. Pull down the following public keys from the Key Server at: hkps://
> > hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You
> > can do with any GPG Win or Mac client. Kealan is on Linux and can give
> you
> > help if needed. You can search on the key’s fingerprint to make sure you
> > are pulling down the right one.
> >
> > - Brian Spector (I have two keys):
> > 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> > C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
> >
> > - Chris Morris
> > 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
> >
> > - Howard Kitto
> > 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
> >
> > - Stanislav Mihaylov
> > EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
> >
> > - Kealan McCusker
> > 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
> >
> > - Emir Uzeirbegovic
> > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
> >
> > - Milagro Security Advisory Public Key
> > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
> >
> >
> > OR, simply import the attached keys into your GPG client.
> >
> > I have digitally SMIME signed this email so you know it came from me (as
> > much as we trust SMIME, not much, but better than nothing).
> >
> > 4. Optionally, if you feel comfortable doing so, please sign our public
> > keys with your git commit signing key, and upload the public keys you
> > signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net
> <
> > http://hkps.pool.sks-keyservers.net>
> >
> > 5. CRITICALLY: Please send us your key fingerprint or public keys (make
> > sure you sign the email when sending over a public key through email so
> we
> > can check the signature). This is so we can add your public keys to the
> > release’s ‘keys’ file.
> >
> > Thanks
> > Brian
> >
> >
> > —
> >
> > On 2 Jul 2019, at 13:18, Brian Spector wrote:
> >
> > > Hi All,
> > >
> > > We’ve had some watercolor discussions about the SKS key server debacle
> > and this got everyone thinking about how important it is to digitally
> sign
> > our git commits. As releases also need to be digitally signed.
> > >
> > > Chris, Howard and I are doing this, John is getting setup to do this
> and
> > it would be great if the rest of the contrib squad (Giorgio, Alessandro,
> > Patrick, etc.) did this as well.
> > >
> > > You can see the ‘verified’ badge next to the commit message here as an
> > example:
> > https://github.com/apache/incubator-milagro/commits/website/newREADME
> > >
> > > In short, what we are worried about is that a someone could get access
> > to a GitHub account (even an internal compromise of GitHub) and change
> > Milagro’s code to somehow inject a vulnerability.
> > >
> > > Given that this code is performing trusted cryptographic operations, I
> > think we should implement a rule for the project that basically states
> past
> > July 4th, PPMC will approve no git feature branch merges into the develop
> > branches on any repo unless all git commits we’re signed by a ‘Verified’
> > digital signing key. This will add confidence for users of the code base.
> > >
> > > GitHub takes care of the key verification by making sure the ID you
> have
> > created that is attached to the key (example: brianspector@apache.org
> > <ma...@apache.org>) is an email that you as the GitHub
> user
> > have entered in as a verified email here:
> > https://github.com/settings/emails
> > >
> > > If you go to this section on the GitHub site in settings:
> > https://github.com/settings/emails you are able to add your own GPG key.
> > Again, make sure the ID is one that GitHub has on file per above.
> > >
> > > The instructions for telling GitHub about your signing key are here:
> > https://help.github.com/en/articles/telling-git-about-your-signing-key
> > >
> > > You then need to configure git to always sign your commits, which is
> > easy, just follow this instruction. It took me all of 15 minutes to set
> > this up.
> > >
> > >
> >
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
> > >
> > > This is a really easy thing to setup and once you have done it, you can
> > use the signing key to sign other contributors signing keys as Apache
> likes
> > everyone to create a web of trust around the project.
> > >
> > > I know not every project has this rule, but we, as a security project,
> > have higher standards.
> > >
> > > VOTE:
> > >
> > > Motion: All committers committing code, and any non-committer code
> > coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG
> signed
> > by a GitHub verified key.
> > >
> > > The vote will be open for at least 72 hours.
> > > [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> > > [ ] +0 No opinion
> > > [ ] -1 Do not Approve
> > >
> > > If you vote not to approve, please state why. Or, start a discussion on
> > why we shouldn’t do this given the upsides and low barrier for anyone to
> > setup.
> > >
> > > Thanks
> > > Brian
> >
> >
> >
> > --
> > Life is a chess game - Anonymous.
> >
> >
> > --
> > Life is a chess game - Anonymous.
> >
>
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Brian Spector <br...@qredo.com>.
Hi Tran, sorry for the delay in responding. I think we need to nominate you as a contributor in order to get your apache ID setup. Were you a contributor to a previous project?
Thanks
Brian
Brian Spector
Chief Product and Strategy Officer
Qredo Ltd
T: +44 1394825764
1 Primrose Street
London, UK EC2A 2EX
https://qredo.com
Qredo Ltd is a limited company registered in England and Wales (registered number 7834052). This e-mail and any attachments are confidential, and are intended only for the named addressee(s). If you are not the intended recipient you may not copy, disclose to anyone else or otherwise use the content of this e-mail or any attachment thereto and should notify the sender immediately and delete them from your system.
________________________________
From: Tran Ly Vu <vu...@gmail.com>
Sent: 06 July 2019 3:47 PM
To: dev@milagro.incubator.apache.org <de...@milagro.incubator.apache.org>
Cc: dev@milagro.apache.org <de...@milagro.apache.org>
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
Hi,
So I could not log in to https://id.apache.org , I have an account that can
access to apache Jira and Confluence but they could not be used to access
to https://id.apache.org. Can someone advice me how I can create an account
for id.apache.org?
Key fingerprint:
1007 7EA8 CBEE 28F4 BB05 EFE4 CE8F A0C4 9557 1477
Thanks
On Fri, 5 Jul 2019 at 17:43, Brian Spector <br...@qredo.com> wrote:
> Hi Giorgio, great can you please make sure you update this on your
> id.apache.org profile please?
>
> Thanks
> Brian
>
> On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote:
>
> Pub key finger print.
> 08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
>
> ---------- Forwarded message ---------
> De: Giorgio Zoppi <giorgio.zoppi@gmail.com<mailto:giorgio.zoppi@gmail.com
> >>
> Date: jue., 4 jul. 2019 a las 23:15
> Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and
> distribute your public key
> To: Brian Spector <br...@qredo.com>>
>
>
> my public key
>
> El jue., 4 jul. 2019 a las 15:05, Brian Spector (<brian@qredo.com<mailto:
> brian@qredo.com>>) escribió:
> Hi All,
>
> as we are preparing for a release, it’s critical that contributors
> advertise their public keys in the appropriate places, and also circulate
> your public key to other Milagro contributors to make it stronger in the
> web of trust.
>
> Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to
> anyone else I have missed) others, the project needs to have your public
> keys advertised, and it’s a critical part of putting your public keys in
> the ‘keys’ file that needs to go out with every release.
>
> We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other
> developers to strengthen their web of trust, and the signatures on those
> keys have been uploaded to the SKS key server (hopefully they have
> recovered somewhat).
>
> The address of the key server is: hkps://hkps.pool.sks-keyservers.net<
> http://hkps.pool.sks-keyservers.net>
>
> The folks that are CC’d on this list, if you can, at a minimum, do the
> following:
>
> 1. Create a GPG signing key, you should have done this for signing your
> git commits in any case per the previously sent email containing
> instructions on signing git commits. The email text is below my salutation
> for your reference.
>
> 2. Using that signing key, take it’s public key fingerprint
> https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and
> update your https://id.apache.org profile to include your public key.
>
> 3. Pull down the following public keys from the Key Server at: hkps://
> hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You
> can do with any GPG Win or Mac client. Kealan is on Linux and can give you
> help if needed. You can search on the key’s fingerprint to make sure you
> are pulling down the right one.
>
> - Brian Spector (I have two keys):
> 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
>
> - Chris Morris
> 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
>
> - Howard Kitto
> 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
>
> - Stanislav Mihaylov
> EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
>
> - Kealan McCusker
> 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
>
> - Emir Uzeirbegovic
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
> - Milagro Security Advisory Public Key
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
>
> OR, simply import the attached keys into your GPG client.
>
> I have digitally SMIME signed this email so you know it came from me (as
> much as we trust SMIME, not much, but better than nothing).
>
> 4. Optionally, if you feel comfortable doing so, please sign our public
> keys with your git commit signing key, and upload the public keys you
> signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net<
> http://hkps.pool.sks-keyservers.net>
>
> 5. CRITICALLY: Please send us your key fingerprint or public keys (make
> sure you sign the email when sending over a public key through email so we
> can check the signature). This is so we can add your public keys to the
> release’s ‘keys’ file.
>
> Thanks
> Brian
>
>
> —
>
> On 2 Jul 2019, at 13:18, Brian Spector wrote:
>
> > Hi All,
> >
> > We’ve had some watercolor discussions about the SKS key server debacle
> and this got everyone thinking about how important it is to digitally sign
> our git commits. As releases also need to be digitally signed.
> >
> > Chris, Howard and I are doing this, John is getting setup to do this and
> it would be great if the rest of the contrib squad (Giorgio, Alessandro,
> Patrick, etc.) did this as well.
> >
> > You can see the ‘verified’ badge next to the commit message here as an
> example:
> https://github.com/apache/incubator-milagro/commits/website/newREADME
> >
> > In short, what we are worried about is that a someone could get access
> to a GitHub account (even an internal compromise of GitHub) and change
> Milagro’s code to somehow inject a vulnerability.
> >
> > Given that this code is performing trusted cryptographic operations, I
> think we should implement a rule for the project that basically states past
> July 4th, PPMC will approve no git feature branch merges into the develop
> branches on any repo unless all git commits we’re signed by a ‘Verified’
> digital signing key. This will add confidence for users of the code base.
> >
> > GitHub takes care of the key verification by making sure the ID you have
> created that is attached to the key (example: brianspector@apache.org
> <ma...@apache.org>) is an email that you as the GitHub user
> have entered in as a verified email here:
> https://github.com/settings/emails
> >
> > If you go to this section on the GitHub site in settings:
> https://github.com/settings/emails you are able to add your own GPG key.
> Again, make sure the ID is one that GitHub has on file per above.
> >
> > The instructions for telling GitHub about your signing key are here:
> https://help.github.com/en/articles/telling-git-about-your-signing-key
> >
> > You then need to configure git to always sign your commits, which is
> easy, just follow this instruction. It took me all of 15 minutes to set
> this up.
> >
> >
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
> >
> > This is a really easy thing to setup and once you have done it, you can
> use the signing key to sign other contributors signing keys as Apache likes
> everyone to create a web of trust around the project.
> >
> > I know not every project has this rule, but we, as a security project,
> have higher standards.
> >
> > VOTE:
> >
> > Motion: All committers committing code, and any non-committer code
> coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed
> by a GitHub verified key.
> >
> > The vote will be open for at least 72 hours.
> > [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> > [ ] +0 No opinion
> > [ ] -1 Do not Approve
> >
> > If you vote not to approve, please state why. Or, start a discussion on
> why we shouldn’t do this given the upsides and low barrier for anyone to
> setup.
> >
> > Thanks
> > Brian
>
>
>
> --
> Life is a chess game - Anonymous.
>
>
> --
> Life is a chess game - Anonymous.
>
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Tran Ly Vu <vu...@gmail.com>.
Hi,
So I could not log in to https://id.apache.org , I have an account that can
access to apache Jira and Confluence but they could not be used to access
to https://id.apache.org. Can someone advice me how I can create an account
for id.apache.org?
Key fingerprint:
1007 7EA8 CBEE 28F4 BB05 EFE4 CE8F A0C4 9557 1477
Thanks
On Fri, 5 Jul 2019 at 17:43, Brian Spector <br...@qredo.com> wrote:
> Hi Giorgio, great can you please make sure you update this on your
> id.apache.org profile please?
>
> Thanks
> Brian
>
> On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote:
>
> Pub key finger print.
> 08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
>
> ---------- Forwarded message ---------
> De: Giorgio Zoppi <giorgio.zoppi@gmail.com<mailto:giorgio.zoppi@gmail.com
> >>
> Date: jue., 4 jul. 2019 a las 23:15
> Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and
> distribute your public key
> To: Brian Spector <br...@qredo.com>>
>
>
> my public key
>
> El jue., 4 jul. 2019 a las 15:05, Brian Spector (<brian@qredo.com<mailto:
> brian@qredo.com>>) escribió:
> Hi All,
>
> as we are preparing for a release, it’s critical that contributors
> advertise their public keys in the appropriate places, and also circulate
> your public key to other Milagro contributors to make it stronger in the
> web of trust.
>
> Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to
> anyone else I have missed) others, the project needs to have your public
> keys advertised, and it’s a critical part of putting your public keys in
> the ‘keys’ file that needs to go out with every release.
>
> We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other
> developers to strengthen their web of trust, and the signatures on those
> keys have been uploaded to the SKS key server (hopefully they have
> recovered somewhat).
>
> The address of the key server is: hkps://hkps.pool.sks-keyservers.net<
> http://hkps.pool.sks-keyservers.net>
>
> The folks that are CC’d on this list, if you can, at a minimum, do the
> following:
>
> 1. Create a GPG signing key, you should have done this for signing your
> git commits in any case per the previously sent email containing
> instructions on signing git commits. The email text is below my salutation
> for your reference.
>
> 2. Using that signing key, take it’s public key fingerprint
> https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and
> update your https://id.apache.org profile to include your public key.
>
> 3. Pull down the following public keys from the Key Server at: hkps://
> hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You
> can do with any GPG Win or Mac client. Kealan is on Linux and can give you
> help if needed. You can search on the key’s fingerprint to make sure you
> are pulling down the right one.
>
> - Brian Spector (I have two keys):
> 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
>
> - Chris Morris
> 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
>
> - Howard Kitto
> 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
>
> - Stanislav Mihaylov
> EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
>
> - Kealan McCusker
> 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
>
> - Emir Uzeirbegovic
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
> - Milagro Security Advisory Public Key
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
>
> OR, simply import the attached keys into your GPG client.
>
> I have digitally SMIME signed this email so you know it came from me (as
> much as we trust SMIME, not much, but better than nothing).
>
> 4. Optionally, if you feel comfortable doing so, please sign our public
> keys with your git commit signing key, and upload the public keys you
> signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net<
> http://hkps.pool.sks-keyservers.net>
>
> 5. CRITICALLY: Please send us your key fingerprint or public keys (make
> sure you sign the email when sending over a public key through email so we
> can check the signature). This is so we can add your public keys to the
> release’s ‘keys’ file.
>
> Thanks
> Brian
>
>
> —
>
> On 2 Jul 2019, at 13:18, Brian Spector wrote:
>
> > Hi All,
> >
> > We’ve had some watercolor discussions about the SKS key server debacle
> and this got everyone thinking about how important it is to digitally sign
> our git commits. As releases also need to be digitally signed.
> >
> > Chris, Howard and I are doing this, John is getting setup to do this and
> it would be great if the rest of the contrib squad (Giorgio, Alessandro,
> Patrick, etc.) did this as well.
> >
> > You can see the ‘verified’ badge next to the commit message here as an
> example:
> https://github.com/apache/incubator-milagro/commits/website/newREADME
> >
> > In short, what we are worried about is that a someone could get access
> to a GitHub account (even an internal compromise of GitHub) and change
> Milagro’s code to somehow inject a vulnerability.
> >
> > Given that this code is performing trusted cryptographic operations, I
> think we should implement a rule for the project that basically states past
> July 4th, PPMC will approve no git feature branch merges into the develop
> branches on any repo unless all git commits we’re signed by a ‘Verified’
> digital signing key. This will add confidence for users of the code base.
> >
> > GitHub takes care of the key verification by making sure the ID you have
> created that is attached to the key (example: brianspector@apache.org
> <ma...@apache.org>) is an email that you as the GitHub user
> have entered in as a verified email here:
> https://github.com/settings/emails
> >
> > If you go to this section on the GitHub site in settings:
> https://github.com/settings/emails you are able to add your own GPG key.
> Again, make sure the ID is one that GitHub has on file per above.
> >
> > The instructions for telling GitHub about your signing key are here:
> https://help.github.com/en/articles/telling-git-about-your-signing-key
> >
> > You then need to configure git to always sign your commits, which is
> easy, just follow this instruction. It took me all of 15 minutes to set
> this up.
> >
> >
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
> >
> > This is a really easy thing to setup and once you have done it, you can
> use the signing key to sign other contributors signing keys as Apache likes
> everyone to create a web of trust around the project.
> >
> > I know not every project has this rule, but we, as a security project,
> have higher standards.
> >
> > VOTE:
> >
> > Motion: All committers committing code, and any non-committer code
> coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed
> by a GitHub verified key.
> >
> > The vote will be open for at least 72 hours.
> > [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> > [ ] +0 No opinion
> > [ ] -1 Do not Approve
> >
> > If you vote not to approve, please state why. Or, start a discussion on
> why we shouldn’t do this given the upsides and low barrier for anyone to
> setup.
> >
> > Thanks
> > Brian
>
>
>
> --
> Life is a chess game - Anonymous.
>
>
> --
> Life is a chess game - Anonymous.
>
Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Brian Spector <br...@qredo.com>.
Hi Giorgio, great can you please make sure you update this on your id.apache.org profile please?
Thanks
Brian
On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote:
Pub key finger print.
08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
---------- Forwarded message ---------
De: Giorgio Zoppi <gi...@gmail.com>>
Date: jue., 4 jul. 2019 a las 23:15
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key
To: Brian Spector <br...@qredo.com>>
my public key
El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com>>) escribió:
Hi All,
as we are preparing for a release, it’s critical that contributors advertise their public keys in the appropriate places, and also circulate your public key to other Milagro contributors to make it stronger in the web of trust.
Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to anyone else I have missed) others, the project needs to have your public keys advertised, and it’s a critical part of putting your public keys in the ‘keys’ file that needs to go out with every release.
We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other developers to strengthen their web of trust, and the signatures on those keys have been uploaded to the SKS key server (hopefully they have recovered somewhat).
The address of the key server is: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
The folks that are CC’d on this list, if you can, at a minimum, do the following:
1. Create a GPG signing key, you should have done this for signing your git commits in any case per the previously sent email containing instructions on signing git commits. The email text is below my salutation for your reference.
2. Using that signing key, take it’s public key fingerprint https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and update your https://id.apache.org profile to include your public key.
3. Pull down the following public keys from the Key Server at: hkps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You can do with any GPG Win or Mac client. Kealan is on Linux and can give you help if needed. You can search on the key’s fingerprint to make sure you are pulling down the right one.
- Brian Spector (I have two keys):
0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
- Chris Morris
740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
- Howard Kitto
8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
- Stanislav Mihaylov
EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
- Kealan McCusker
0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
- Emir Uzeirbegovic
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
- Milagro Security Advisory Public Key
8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
OR, simply import the attached keys into your GPG client.
I have digitally SMIME signed this email so you know it came from me (as much as we trust SMIME, not much, but better than nothing).
4. Optionally, if you feel comfortable doing so, please sign our public keys with your git commit signing key, and upload the public keys you signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
5. CRITICALLY: Please send us your key fingerprint or public keys (make sure you sign the email when sending over a public key through email so we can check the signature). This is so we can add your public keys to the release’s ‘keys’ file.
Thanks
Brian
—
On 2 Jul 2019, at 13:18, Brian Spector wrote:
> Hi All,
>
> We’ve had some watercolor discussions about the SKS key server debacle and this got everyone thinking about how important it is to digitally sign our git commits. As releases also need to be digitally signed.
>
> Chris, Howard and I are doing this, John is getting setup to do this and it would be great if the rest of the contrib squad (Giorgio, Alessandro, Patrick, etc.) did this as well.
>
> You can see the ‘verified’ badge next to the commit message here as an example: https://github.com/apache/incubator-milagro/commits/website/newREADME
>
> In short, what we are worried about is that a someone could get access to a GitHub account (even an internal compromise of GitHub) and change Milagro’s code to somehow inject a vulnerability.
>
> Given that this code is performing trusted cryptographic operations, I think we should implement a rule for the project that basically states past July 4th, PPMC will approve no git feature branch merges into the develop branches on any repo unless all git commits we’re signed by a ‘Verified’ digital signing key. This will add confidence for users of the code base.
>
> GitHub takes care of the key verification by making sure the ID you have created that is attached to the key (example: brianspector@apache.org<ma...@apache.org>) is an email that you as the GitHub user have entered in as a verified email here: https://github.com/settings/emails
>
> If you go to this section on the GitHub site in settings: https://github.com/settings/emails you are able to add your own GPG key. Again, make sure the ID is one that GitHub has on file per above.
>
> The instructions for telling GitHub about your signing key are here: https://help.github.com/en/articles/telling-git-about-your-signing-key
>
> You then need to configure git to always sign your commits, which is easy, just follow this instruction. It took me all of 15 minutes to set this up.
>
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
>
> This is a really easy thing to setup and once you have done it, you can use the signing key to sign other contributors signing keys as Apache likes everyone to create a web of trust around the project.
>
> I know not every project has this rule, but we, as a security project, have higher standards.
>
> VOTE:
>
> Motion: All committers committing code, and any non-committer code coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed by a GitHub verified key.
>
> The vote will be open for at least 72 hours.
> [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> [ ] +0 No opinion
> [ ] -1 Do not Approve
>
> If you vote not to approve, please state why. Or, start a discussion on why we shouldn’t do this given the upsides and low barrier for anyone to setup.
>
> Thanks
> Brian
--
Life is a chess game - Anonymous.
--
Life is a chess game - Anonymous.
Fwd: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute
your public key
Posted by Giorgio Zoppi <gi...@gmail.com>.
Pub key finger print.
08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9
---------- Forwarded message ---------
De: Giorgio Zoppi <gi...@gmail.com>
Date: jue., 4 jul. 2019 a las 23:15
Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and
distribute your public key
To: Brian Spector <br...@qredo.com>
my public key
El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com>)
escribió:
> Hi All,
>
> as we are preparing for a release, it’s critical that contributors
> advertise their public keys in the appropriate places, and also circulate
> your public key to other Milagro contributors to make it stronger in the
> web of trust.
>
> Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to
> anyone else I have missed) others, the project needs to have your public
> keys advertised, and it’s a critical part of putting your public keys in
> the ‘keys’ file that needs to go out with every release.
>
> We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other
> developers to strengthen their web of trust, and the signatures on those
> keys have been uploaded to the SKS key server (hopefully they have
> recovered somewhat).
>
> The address of the key server is: hkps://hkps.pool.sks-keyservers.net
>
> The folks that are CC’d on this list, if you can, at a minimum, do the
> following:
>
> 1. Create a GPG signing key, you should have done this for signing your
> git commits in any case per the previously sent email containing
> instructions on signing git commits. The email text is below my salutation
> for your reference.
>
> 2. Using that signing key, take it’s public key fingerprint
> https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and
> update your https://id.apache.org profile to include your public key.
>
> 3. Pull down the following public keys from the Key Server at: hkps://
> hkps.pool.sks-keyservers.net. You can do with any GPG Win or Mac client.
> Kealan is on Linux and can give you help if needed. You can search on the
> key’s fingerprint to make sure you are pulling down the right one.
>
> - Brian Spector (I have two keys):
> 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012
> C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C
>
> - Chris Morris
> 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39
>
> - Howard Kitto
> 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4
>
> - Stanislav Mihaylov
> EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA
>
> - Kealan McCusker
> 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F
>
> - Emir Uzeirbegovic
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
> - Milagro Security Advisory Public Key
> 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A
>
>
> OR, simply import the attached keys into your GPG client.
>
> I have digitally SMIME signed this email so you know it came from me (as
> much as we trust SMIME, not much, but better than nothing).
>
> 4. Optionally, if you feel comfortable doing so, please sign our public
> keys with your git commit signing key, and upload the public keys you
> signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net
>
> 5. CRITICALLY: Please send us your key fingerprint or public keys (make
> sure you sign the email when sending over a public key through email so we
> can check the signature). This is so we can add your public keys to the
> release’s ‘keys’ file.
>
> Thanks
> Brian
>
>
> —
>
> On 2 Jul 2019, at 13:18, Brian Spector wrote:
>
> > Hi All,
> >
> > We’ve had some watercolor discussions about the SKS key server debacle
> and this got everyone thinking about how important it is to digitally sign
> our git commits. As releases also need to be digitally signed.
> >
> > Chris, Howard and I are doing this, John is getting setup to do this and
> it would be great if the rest of the contrib squad (Giorgio, Alessandro,
> Patrick, etc.) did this as well.
> >
> > You can see the ‘verified’ badge next to the commit message here as an
> example:
> https://github.com/apache/incubator-milagro/commits/website/newREADME
> >
> > In short, what we are worried about is that a someone could get access
> to a GitHub account (even an internal compromise of GitHub) and change
> Milagro’s code to somehow inject a vulnerability.
> >
> > Given that this code is performing trusted cryptographic operations, I
> think we should implement a rule for the project that basically states past
> July 4th, PPMC will approve no git feature branch merges into the develop
> branches on any repo unless all git commits we’re signed by a ‘Verified’
> digital signing key. This will add confidence for users of the code base.
> >
> > GitHub takes care of the key verification by making sure the ID you have
> created that is attached to the key (example: brianspector@apache.org) is
> an email that you as the GitHub user have entered in as a verified email
> here: https://github.com/settings/emails
> >
> > If you go to this section on the GitHub site in settings:
> https://github.com/settings/emails you are able to add your own GPG key.
> Again, make sure the ID is one that GitHub has on file per above.
> >
> > The instructions for telling GitHub about your signing key are here:
> https://help.github.com/en/articles/telling-git-about-your-signing-key
> >
> > You then need to configure git to always sign your commits, which is
> easy, just follow this instruction. It took me all of 15 minutes to set
> this up.
> >
> >
> https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15
> >
> > This is a really easy thing to setup and once you have done it, you can
> use the signing key to sign other contributors signing keys as Apache likes
> everyone to create a web of trust around the project.
> >
> > I know not every project has this rule, but we, as a security project,
> have higher standards.
> >
> > VOTE:
> >
> > Motion: All committers committing code, and any non-committer code
> coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed
> by a GitHub verified key.
> >
> > The vote will be open for at least 72 hours.
> > [ ] +1 Approve the motion to make mandatory GPG signing of git commits
> > [ ] +0 No opinion
> > [ ] -1 Do not Approve
> >
> > If you vote not to approve, please state why. Or, start a discussion on
> why we shouldn’t do this given the upsides and low barrier for anyone to
> setup.
> >
> > Thanks
> > Brian
>
>
--
Life is a chess game - Anonymous.
--
Life is a chess game - Anonymous.