You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "liutikas (via GitHub)" <gi...@apache.org> on 2023/08/25 18:46:13 UTC
[I] Keep consistent signing key for releases (logging-log4j2)
liutikas opened a new issue, #1734:
URL: https://github.com/apache/logging-log4j2/issues/1734
`org.apache.logging` maven group has had at least 3 signing keys:
- https://keyserver.ubuntu.com/pks/lookup?search=0x9d0a56aaa0d60e0c0c7dccc0b4c70893b62babe8&fingerprint=on&op=index
- https://keyserver.ubuntu.com/pks/lookup?search=0xca62ed130e4053944406df640181b45ea58677bc&fingerprint=on&op=index
- https://keyserver.ubuntu.com/pks/lookup?search=0x8378bfaad82fe5aa602ac356031ee010ca15d1ee&fingerprint=on&op=index
they all seem to belong to mattsicker@apache.org
It would be great if the key would not change from version to version, as that means we have to keep updating our allowlist when we do signature validation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Keep consistent signing key for releases (logging-log4j2)
Posted by "vy (via GitHub)" <gi...@apache.org>.
vy closed issue #1734: Keep consistent signing key for releases
URL: https://github.com/apache/logging-log4j2/issues/1734
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Keep consistent signing key for releases (logging-log4j2)
Posted by "ppkarwasz (via GitHub)" <gi...@apache.org>.
ppkarwasz commented on issue #1734:
URL: https://github.com/apache/logging-log4j2/issues/1734#issuecomment-1693840593
@liutikas,
You can find all our keys on: https://dist.apache.org/repos/dist/release/logging/KEYS
All these people are allowed to prepare and sign a release. The redundancy is for security reasons: if a committer is not available to perform a release, another one can do it.
@jvz has two main keys:
* a 4096 bit RSA key with fingerprint `748F 15B2 CF9B A8F0 2415 5E6E D7C9 2B70 FA1C 814D`,
* an Ed25519 key with fingerprint `8378 BFAA D82F E5AA 602A C356 031E E010 CA15 D1EE`
You should trust these keys and **all** the signing subkeys present or future signed by these keys.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Keep consistent signing key for releases (logging-log4j2)
Posted by "vy (via GitHub)" <gi...@apache.org>.
vy commented on issue #1734:
URL: https://github.com/apache/logging-log4j2/issues/1734#issuecomment-1694219368
@ppkarwasz is right. The good news is, we are actively working on migrating all Log4j et al. releases to CI (GitHub Actions) and there the signing operation will always be performed using the very same key: the one associated with `private@logging.apache.org` in [KEYS](https://dist.apache.org/repos/dist/release/logging/KEYS).
Note that even in the best case – i.e., one key is used always, everywhere – they key might get compromised. That would require us to revoke the key, remove it from `KEYS`, and place there a new one. Hence the reality doesn't give much room to a one key to rule them all.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Keep consistent signing key for releases (logging-log4j2)
Posted by "vy (via GitHub)" <gi...@apache.org>.
vy commented on issue #1734:
URL: https://github.com/apache/logging-log4j2/issues/1734#issuecomment-1694220374
I am closing this ticket, since this is [how ASF releases operate](https://infra.apache.org/release-signing.html). @liutikas, if you disagree and have a proposal on how to improve this, feel free to reopen the ticket.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org