-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document pgp artifact signing keys #3085
Conversation
WalkthroughThe recent updates focus on enhancing security measures by documenting PGP artifact signing keys, improving concurrency handling by transitioning from Changes
Assessment against linked issues
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files selected for processing (2)
- CHANGES.txt (1 hunks)
- KEYS (1 hunks)
Files not reviewed due to errors (1)
- (no review received)
Additional comments: 1
KEYS (1)
- 1-37: The PGP public key block addition looks good and aligns with the objectives of enhancing supply chain security by enabling developers to verify the PGP signatures of downloaded artifacts. It's important to ensure that the key's authenticity has been verified and that it's the correct key for Krishnan Mahadevan. Additionally, consider providing guidance on how developers can use this key for verification purposes in the documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review Status
Actionable comments generated: 1
Configuration used: CodeRabbit UI
Files selected for processing (3)
- CHANGES.txt (1 hunks)
- KEYS (1 hunks)
- README.md (1 hunks)
Files skipped from review as they are similar to previous changes (2)
- CHANGES.txt
- KEYS
README.md
Outdated
### Verifying the signature | ||
|
||
1. Download the `.asc` file from `https://repo1.maven.org/maven2/org/testng/testng/<versionGoesHere>` | ||
2. Run the command `gpg --verify testng-7.9.0.jar.asc testng-7.9.0.jar` | ||
3. You should see an output as below: | ||
|
||
```bash | ||
gpg: Signature made Tue Dec 26 15:06:16 2023 IST | ||
gpg: using RSA key 0F13D5631D6AF36D | ||
gpg: Good signature from "Krishnan Mahadevan (krmahadevan-key) <[email protected]>" [unknown] | ||
gpg: WARNING: This key is not certified with a trusted signature! | ||
gpg: There is no indication that the signature belongs to the owner. | ||
Primary key fingerprint: C4F5 4D86 22C9 5CC3 F098 721A 0F13 D563 1D6A F36D | ||
``` | ||
|
||
For more details regarding keys please refer [here](https://infra.apache.org/release-signing.html#verifying-signature) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The instructions for verifying the signature using GPG are clear and straightforward. However, there are a couple of areas that could be improved for clarity and completeness:
-
Version Placeholder Clarification: In line 59,
<versionGoesHere>
is used as a placeholder for the version number. It might be helpful to explicitly mention that users should replace this placeholder with the specific version of TestNG they are verifying. -
Generalization of Command: The command in line 60 is specific to version
7.9.0
. It would be beneficial to generalize this command to match the version placeholder mentioned earlier, such asgpg --verify testng-<versionGoesHere>.jar.asc testng-<versionGoesHere>.jar
. -
Trust Level of the Key: The warning in lines 67-68 about the key not being certified with a trusted signature is important. It might be useful to add a brief explanation or recommendation on how users can proceed if they encounter this warning. For example, guiding them to verify the key's fingerprint against a trusted source or how to establish trust in the key.
-
External Link Accessibility: The link provided in line 72 directs users to more details regarding key verification. It's good practice to ensure that this link is accessible and provides relevant and up-to-date information. If the link is subject to change, consider hosting the relevant information directly within the project's documentation to maintain control over its availability and accuracy.
Consider making these improvements to enhance the clarity and usefulness of the signature verification instructions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some good advices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@juherr: Thank you for considering the suggestions! If you have any questions or need further assistance while implementing these improvements, feel free to ask. Your efforts to enhance the project's documentation are greatly appreciated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@juherr - I have addressed these observations. Can you please help check ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files selected for processing (3)
- CHANGES.txt (1 hunks)
- KEYS (1 hunks)
- README.md (1 hunks)
Files skipped from review as they are similar to previous changes (3)
- CHANGES.txt
- KEYS
- README.md
Closes #3084
Fixes #3084 .
Did you remember to?
CHANGES.txt
./gradlew autostyleApply
We encourage pull requests that:
If your pull request involves fixing SonarQube issues then we would suggest that you please discuss this with the
TestNG-dev before you spend time working on it.
Note: For more information on contribution guidelines please make sure you refer our Contributing section for detailed set of steps.
Summary by CodeRabbit
KEYS
containing a PGP public key block for Krishnan Mahadevan, enabling secure communication and verification.DataProvider
behavior to align with TestNG 6.x when retrying tests.synchronized
withReentrantLock
for improved concurrency control.IExecutorFactory
.