Closed Bug 499709 Opened 16 years ago Closed 16 years ago

Setup GPG signing infrasctucture

Categories

(Mozilla Messaging Graveyard :: Release Engineering, defect)

Product:
Mozilla Messaging Graveyard
Component:
Release Engineering
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gozer, Unassigned)

References

Details

Attachments

(1 file)

[checked in] Put public GPG signing keys in [comm-central]/mail/build/KEY
6.65 KB, patch
standard8
: review+
Details | Diff | Splinter Review
We've got the hardware working, all that's left is to create the final signing keys, get them published and test the existing signing automation will work.
A detail, but an important one. Each release gets a top-level KEY file that lists the keys used to sign these builds, for example, see: <http://releases.mozilla.org/pub/mozilla.org/thunderbird/releases/3.0b2/KEY> This KEY file currently lives in the mofo CVS right now. We'll be generating new signing keys for ourselves, so the question I am trying to get answered is where should we stick the new KEYS in source-control? In my opinion, it makes sense to stick it in comm-central somewhere, but not sure where or what folks think comm-central/release/THUNDERBIRD-KEYS comm-central/release/SEAMONKEY-KEYS ... For an example off the top of my head
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Master top-level keys have been generated and published to key servers. Feel free to sign them if you are so enclined and trust me. <http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x3AD1D2564E759E30> pub 1024R/0x3AD1D2564E759E30 2009-07-14 Key fingerprint = 7F28 F05C 6544 62F2 8EF7 FA98 3AD1 D256 4E75 9E30 uid Mozilla Messaging Inc. (Certification Authority) <ca@mozillamessaging.com> sub 1024R/0x72B908507B845F61 2009-07-14 sub 1024R/0xDD8E19DFCEAE3B78 2009-07-14 <http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x517613305F159F52> pub 1024R/0x517613305F159F52 2009-07-14 Key fingerprint = 4C9D F9D2 EAF7 866C 0143 22C0 5176 1330 5F15 9F52 uid Mozilla Messaging Inc. (Certification Authority) <ca@mozillamessaging.com> sub 1024R/0x19420345F3EA3971 2009-07-14 sub 1024R/0x5E1A6E02FC9A5F52 2009-07-14 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKXfUqyzKhB4jDpaURAgzEAJ0UySjQDUy0mkKeknYw1oIGEZmscQCfcqle GRLMJGVgnWNLoGMDEehOVWI= =w4mP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Code Signing keys have been generated and published to key servers. Feel free to sign them if you are so enclined and trust me. <http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xF2033E1BB47C54E5> pub 1024R/0xF2033E1BB47C54E5 2009-07-15 [expires: 2011-07-15] Key fingerprint = 2DC0 665A 5D99 4BE4 9E9E 7463 F203 3E1B B47C 54E5 uid Mozilla Messaging Inc. (Code Signing) <build@mozillamessaging.com> sub 1024R/0x68695B6B06A45EAE 2009-07-15 [expires: 2011-07-15] sub 1024R/0x8B1600D8F37D122A 2009-07-15 [expires: 2011-07-15] <http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xF8898FEF6CE2996F> pub 1024R/0xF8898FEF6CE2996F 2009-07-15 [expires: 2011-07-15] Key fingerprint = 6536 CB42 CC17 66D6 B8C6 92B4 F889 8FEF 6CE2 996F uid Mozilla Messaging Inc. (Code Signing) <build@mozillamessaging.com> sub 1024R/0xE950F40067DDABB3 2009-07-15 [expires: 2011-07-15] sub 1024R/0x061AF0EC46636259 2009-07-15 [expires: 2011-07-15] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKXiGbyzKhB4jDpaURAs5uAJ9XiNug2ePC8K99MOoLyoFymFs9PQCfT+oi V17TWLSfbUbcMH2Lzl5fddA= =Op5X -----END PGP SIGNATURE-----
bhearsum on irc suggested: mail/build/...
From lack of a better suggestion, I am going ahead with bhearsum's suggestion and stick the public GPG keys in mail/build/KEY This might be eventually used by the release automation stuff, but I mainly want to make sure we have the public keys themselves in comm-central alongside the code first.
Attachment #391665 - Flags: review?(bugzilla)
Attachment #391665 - Flags: review?(bugzilla) → review+
Attachment #391665 - Attachment description: Put public GPG signing keys in [comm-central]/mail/build/KEY → [checked in] Put public GPG signing keys in [comm-central]/mail/build/KEY
Comment on attachment 391665 [details] [diff] [review] [checked in] Put public GPG signing keys in [comm-central]/mail/build/KEY changeset: 3199:0e3b947a90c6 tag: tip user: Philippe M. Chiasson <gozer@mozillamessaging.com> date: Thu Jul 30 16:30:39 2009 -0400 summary: Bug 499709. Record our new, GPG public keys for build signing. r=Standard8
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Shouldn't we also have one for security emails (like apple does) - or one like mozilla has for encrypted communication (security@mozilla.com/mozillamessaging.com) ?
(In reply to comment #7) > Shouldn't we also have one for security emails (like apple does) - or one like > mozilla has for encrypted communication > (security@mozilla.com/mozillamessaging.com) ? Yes, a very good idea indeed!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: