Closed Bug 497690 Opened 15 years ago Closed 15 years ago

Renew GPG key before it expires

Categories

(Release Engineering :: General, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: joduinn, Assigned: joduinn)

Details

Attachments

(1 file)

During FF3.0.11 release, catlee noticed this GPG key will expire in July (16th?). We need to renew the key before it expires.
Got sidetracked with FF3.5.0 and Q2/Q3 goals. Suddenly its now 08july. Bumping priority.
Priority: -- → P2
Found bug#377781, where I did this two years ago, last time the key expired.
FYI:
According to http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/KEY, it does expire on the 16th.

I just finished signing 3.5.1 so we made the cut off there
(In reply to comment #3)
> FYI:
> According to
> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/KEY,
> it does expire on the 16th.
> 
> I just finished signing 3.5.1 so we made the cut off there

....so we *just* made the cutoff! Phew! Thanks Ben.
dveditz and I looked over this together in person, but posting here for the record.
New private key now on signing machine, Lukas is trying it now. Stay tuned.

Meanwhile, should I checkin this new public key into the repo, just like we did for bug#377781? Or has this now moved to a new hg-based location?
(In reply to comment #6)
> [...]
> Meanwhile, should I checkin this new public key into the repo, just like we did
> for bug#377781? Or has this now moved to a new hg-based location?

That's a very good question, and one I am asking similarly for the new comm-central signing keys in bug 499709 comment #1. Any insight/opinions would be most welcome as to where would a good place be to stick these trusted public keys.
nthomas did an additional manual test, which looks good too:

-bash-3.00$ gpg --verify firefox-3.0.12.tar.bz2.asc firefox-3.0.12.tar.bz2
gpg: Signature made Mon 20 Jul 2009 05:53:54 PM PDT using DSA key ID 17785FE8
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/3
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0
gpg: next trustdb check due at 2011-07-20
(In reply to comment #6)
> Meanwhile, should I checkin this new public key into the repo, just like we did
> for bug#377781? Or has this now moved to a new hg-based location?

CVS mofo is still the right place for this.
Attachment #389589 - Flags: checked‑in+
Comment on attachment 389589 [details]
new public key with added header text

Updated the public key in the mofo repo.
We used this new key on FF3.0.12, which we shipped yesterday. Now tidying up bugs.

Posted renewed public key, and verified, on:
pgp.mit.edu
pgpkeys.mit.edu

Skipped the following keymasters because of errors:
keyserver.veridis.com redirects to keyserver.veridis.com:11371/disabled.jsp.
wwwkeys.pgp.net redirects to http://wwwkeys.pgp.net/apache2-default.

Thats it for another 2 years, so closing.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.