Closed
Bug 1314136
Opened 8 years ago
Closed 2 years ago
A Front Page for PGP Key
Categories
(Release Engineering :: Release Requests, defect, P5)
Release Engineering
Release Requests
Tracking
(firefox96 fixed)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: public, Assigned: jcristau)
References
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20161021084537 Steps to reproduce: I want to procure the public key for "Mozilla Software Releases <release@mozilla.com>" which is used to sign releases. Actual results: I get the key from the keyservers after looking at the blog in the link below. http://hearsum.ca/blog/mozilla-software-release-gpg-key-transition.html I do not know if the blog is the most recent update on the matter. There is no official web page which says, *this* is the current correct PGP key which we are using. (If there is, I cannot easily find it.) Expected results: A page like given below. https://www.mozilla.org/en-US/security/ The page should be linked on at least the main downlod page of the software, like https://nightly.mozilla.org/.
Comment 1•8 years ago
|
||
We publish the key with every release. For example, for 49.0.2 it's in https://archive.mozilla.org/pub/firefox/releases/49.0.2/KEY Does it solve your issue?
Reporter | ||
Comment 2•8 years ago
|
||
Unfortnuately, no, since the key is not published with the nightly releases in the same manner. https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-30-03-02-04-mozilla-central/
Comment 3•8 years ago
|
||
As a possible solution we can publish the key once in a while to https://archive.mozilla.org/pub/ or https://archive.mozilla.org/pub/firefox/ Aki, do you have any ideas here? Maybe we should publish the key next to the binaries? I'm not a bug fan of poisoning the dwell :), but at least it'd be automated.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(aki)
Comment 4•8 years ago
|
||
Hm. Publishing the key next to the binaries is nicely automatable, and mirrors what we do for releases. It looks like we sign the key, which helps avoid a MitM publishing both a pubkey and a signed artifact. Ideally this is the same key used for all nightlies of that platform, and any change is accompanied by an announcement or blog post. I'm not sure where we would put the logic; maybe beetmover?
Flags: needinfo?(aki)
Updated•7 years ago
|
Priority: -- → P5
Comment 5•6 years ago
|
||
Bulk change of QA Contact to :jlund, per https://bugzilla.mozilla.org/show_bug.cgi?id=1428483
QA Contact: rail → jlund
Assignee | ||
Comment 6•2 years ago
|
||
Bug 1713258 added KEY to the beetmover manifest, but it gets excluded
from upstreamArtifacts
in generate_beetmover_upstream_artifacts
because it's not in the signing task's release-artifacts
attribute,
and so it doesn't actually work.
Updated•2 years ago
|
Assignee: nobody → jcristau
Status: NEW → ASSIGNED
Pushed by jcristau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b11c0a93431b ship PGP public key alongside nightly builds. r=releng-reviewers,aki DONTBUILD
Comment 8•2 years ago
|
||
bugherder |
Assignee | ||
Comment 9•2 years ago
|
||
The signing key for nightly is now at https://archive.mozilla.org/pub/firefox/nightly/latest-mozilla-central/KEY
You need to log in
before you can comment on or make changes to this bug.
Description
•