-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debian: Update debian/upstream/signing-key.asc #1299
debian: Update debian/upstream/signing-key.asc #1299
Conversation
This change is needed for debian packaging effort of latest release 0.17.0 theupdateframework#263 Because this key update is critical in the trust's chain, may I request upstream to double check and acknowledge this change. This key was obtained from WoT using: wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc gpg --verify tuf-0.17.0.tar.gz.asc gpg: assuming signed data in 'tuf-0.17.0.tar.gz' gpg: Signature made Thu 25 Feb 2021 12:42:50 PM CET gpg: using RSA key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 gpg: Can't check signature: No public key gpg --recv-key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ --keyserver hkp://keys.gnupg.net gpg --verify ../tuf-0.17.0.tar.gz.asc gpg --fingerprint 08F3409FCF71D87E30FBD3C21671F65CB74832A4 # pub rsa3072 2020-03-17 [SC] [expires: 2030-03-15] # 08F3 409F CF71 D87E 30FB D3C2 1671 F65C B748 32A4 # uid [ unknown] Joshua Lock (GPG on YubiKey) <[email protected]> # sub rsa3072 2020-03-17 [E] [expires: 2030-03-15] # sub rsa3072 2020-03-17 [A] [expires: 2030-03-15] gpg --armor --export 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ > debian/upstream/signing-key.asc Cc: Sebastien Awwad <[email protected] @awwad> Cc: Lukas Puehringer <[email protected] @lukpueh> Cc: Joshua Lock <[email protected] @joshuagl> Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key Origin: https://github.com/CrossStream/tuf/tree/debian/master Forwarded: theupdateframework#1299 Signed-off-by: Philippe Coval <[email protected]>
cad2694
to
d872799
Compare
If you merge this change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @rzr!
FYI, I also checked that lintian wouldn't complain about public-upstream-key-not-minimal
. Looks like --export-options export-minimal,export-clean
don't change anything for this key.
LGTM!
Will rebase on top of 0.17.0 after merge. |
This change is needed for debian packaging effort of latest release 0.17.0 #263 Because this key update is critical in the trust's chain, may I request upstream to double check and acknowledge this change. This key was obtained from WoT using: wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc gpg --verify tuf-0.17.0.tar.gz.asc gpg: assuming signed data in 'tuf-0.17.0.tar.gz' gpg: Signature made Thu 25 Feb 2021 12:42:50 PM CET gpg: using RSA key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 gpg: Can't check signature: No public key gpg --recv-key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ --keyserver hkp://keys.gnupg.net gpg --verify ../tuf-0.17.0.tar.gz.asc gpg --fingerprint 08F3409FCF71D87E30FBD3C21671F65CB74832A4 # pub rsa3072 2020-03-17 [SC] [expires: 2030-03-15] # 08F3 409F CF71 D87E 30FB D3C2 1671 F65C B748 32A4 # uid [ unknown] Joshua Lock (GPG on YubiKey) <[email protected]> # sub rsa3072 2020-03-17 [E] [expires: 2030-03-15] # sub rsa3072 2020-03-17 [A] [expires: 2030-03-15] gpg --armor --export 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ > debian/upstream/signing-key.asc Cc: Sebastien Awwad <[email protected] @awwad> Cc: Lukas Puehringer <[email protected] @lukpueh> Cc: Joshua Lock <[email protected] @joshuagl> Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key Origin: https://github.com/CrossStream/tuf/tree/debian/master Forwarded: #1299 Signed-off-by: Philippe Coval <[email protected]>
Thx Note that debian will use a different base from imported pypi package, https://bugs.debian.org/934151 Feel free to acknowledge the co maintenance plan I proposed to Debian python team, Say tuned at |
FYI we publish all of our maintainer PGP fingerprints in the MAINTAINERS file https://github.com/theupdateframework/tuf/blob/develop/docs/MAINTAINERS.txt |
ok curently only 08F3409FCF71D87E30FBD3C21671F65CB74832A4 is used maybe i will sync/refresh/check this file to align to upcoming releases based on the MAINTAINERS file, I don't want to automate this too much until it lands in debian |
This change is needed for debian packaging effort of latest release 0.17.0 theupdateframework#263 Because this key update is critical in the trust's chain, may I request upstream to double check and acknowledge this change. This key was obtained from WoT using: wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc gpg --verify tuf-0.17.0.tar.gz.asc gpg: assuming signed data in 'tuf-0.17.0.tar.gz' gpg: Signature made Thu 25 Feb 2021 12:42:50 PM CET gpg: using RSA key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 gpg: Can't check signature: No public key gpg --recv-key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ --keyserver hkp://keys.gnupg.net gpg --verify ../tuf-0.17.0.tar.gz.asc gpg --fingerprint 08F3409FCF71D87E30FBD3C21671F65CB74832A4 # pub rsa3072 2020-03-17 [SC] [expires: 2030-03-15] # 08F3 409F CF71 D87E 30FB D3C2 1671 F65C B748 32A4 # uid [ unknown] Joshua Lock (GPG on YubiKey) <[email protected]> # sub rsa3072 2020-03-17 [E] [expires: 2030-03-15] # sub rsa3072 2020-03-17 [A] [expires: 2030-03-15] gpg --armor --export 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ > debian/upstream/signing-key.asc Cc: Sebastien Awwad <[email protected] @awwad> Cc: Lukas Puehringer <[email protected] @lukpueh> Cc: Joshua Lock <[email protected] @joshuagl> Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key Origin: https://github.com/CrossStream/tuf/tree/debian/master Forwarded: theupdateframework#1299 Signed-off-by: Philippe Coval <[email protected]>
This change is needed for debian packaging effort of latest release 0.17.0 theupdateframework#263 Because this key update is critical in the trust's chain, may I request upstream to double check and acknowledge this change. This key was obtained from WoT using: wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc gpg --verify tuf-0.17.0.tar.gz.asc gpg: assuming signed data in 'tuf-0.17.0.tar.gz' gpg: Signature made Thu 25 Feb 2021 12:42:50 PM CET gpg: using RSA key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 gpg: Can't check signature: No public key gpg --recv-key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ --keyserver hkp://keys.gnupg.net gpg --verify ../tuf-0.17.0.tar.gz.asc gpg --fingerprint 08F3409FCF71D87E30FBD3C21671F65CB74832A4 # pub rsa3072 2020-03-17 [SC] [expires: 2030-03-15] # 08F3 409F CF71 D87E 30FB D3C2 1671 F65C B748 32A4 # uid [ unknown] Joshua Lock (GPG on YubiKey) <[email protected]> # sub rsa3072 2020-03-17 [E] [expires: 2030-03-15] # sub rsa3072 2020-03-17 [A] [expires: 2030-03-15] gpg --armor --export 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \ > debian/upstream/signing-key.asc Cc: Sebastien Awwad <[email protected] @awwad> Cc: Lukas Puehringer <[email protected] @lukpueh> Cc: Joshua Lock <[email protected] @joshuagl> Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key Origin: https://github.com/CrossStream/tuf/tree/debian/master Forwarded: theupdateframework#1299 Signed-off-by: Philippe Coval <[email protected]>
This change is needed for debian packaging effort of latest release 0.17.0
#263
Because this key update is critical in the trust's chain,
may I request upstream to double check and acknowledge this change.
This key was obtained from WoT using:
wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz
wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc
Cc: Sebastien Awwad <[email protected] @awwad>
Cc: Lukas Puehringer <[email protected] @lukpueh>
Cc: Joshua Lock <[email protected] @joshuagl>
Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key
Origin: https://github.com/CrossStream/tuf/tree/debian/master
Forwarded: https://github.com/theupdateframework/tuf/pulls/rzr
Signed-off-by: Philippe Coval [email protected]
Please fill in the fields below to submit a pull request. The more information
that is provided, the better.
Fixes #
Description of the changes being introduced by the pull request:
Please verify and check that the pull request fulfills the following
requirements: