Closed Bug 499709 Opened 15 years ago Closed 15 years ago

Setup GPG signing infrasctucture

Categories

(Mozilla Messaging Graveyard :: Release Engineering, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gozer, Unassigned)

References

Details

Attachments

(1 file)

We've got the hardware working, all that's left is to create the final signing keys, get them published and test the existing signing automation will work.
A detail, but an important one.

Each release gets a top-level KEY file that lists the keys used to sign these builds, for example, see:

<http://releases.mozilla.org/pub/mozilla.org/thunderbird/releases/3.0b2/KEY>

This KEY file currently lives in the mofo CVS right now.

We'll be generating new signing keys for ourselves, so the question I am trying to get answered is where should we stick the new KEYS in source-control?

In my opinion, it makes sense to stick it in comm-central somewhere, but not sure where or what folks think

comm-central/release/THUNDERBIRD-KEYS
comm-central/release/SEAMONKEY-KEYS
...

For an example off the top of my head
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Master top-level keys have been generated and published to key servers.
Feel free to sign them if you are so enclined and trust me.

<http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x3AD1D2564E759E30>
pub   1024R/0x3AD1D2564E759E30 2009-07-14
      Key fingerprint = 7F28 F05C 6544 62F2 8EF7  FA98 3AD1 D256 4E75 9E30
uid   Mozilla Messaging Inc. (Certification Authority) <ca@mozillamessaging.com>
sub   1024R/0x72B908507B845F61 2009-07-14
sub   1024R/0xDD8E19DFCEAE3B78 2009-07-14

<http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x517613305F159F52>
pub   1024R/0x517613305F159F52 2009-07-14
      Key fingerprint = 4C9D F9D2 EAF7 866C 0143  22C0 5176 1330 5F15 9F52
uid   Mozilla Messaging Inc. (Certification Authority) <ca@mozillamessaging.com>
sub   1024R/0x19420345F3EA3971 2009-07-14
sub   1024R/0x5E1A6E02FC9A5F52 2009-07-14
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXfUqyzKhB4jDpaURAgzEAJ0UySjQDUy0mkKeknYw1oIGEZmscQCfcqle
GRLMJGVgnWNLoGMDEehOVWI=
=w4mP
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Code Signing keys have been generated and published to key servers.
Feel free to sign them if you are so enclined and trust me.

<http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xF2033E1BB47C54E5>
pub   1024R/0xF2033E1BB47C54E5 2009-07-15 [expires: 2011-07-15]
      Key fingerprint = 2DC0 665A 5D99 4BE4 9E9E  7463 F203 3E1B B47C 54E5
uid   Mozilla Messaging Inc. (Code Signing) <build@mozillamessaging.com>
sub   1024R/0x68695B6B06A45EAE 2009-07-15 [expires: 2011-07-15]
sub   1024R/0x8B1600D8F37D122A 2009-07-15 [expires: 2011-07-15]

<http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xF8898FEF6CE2996F>
pub   1024R/0xF8898FEF6CE2996F 2009-07-15 [expires: 2011-07-15]
      Key fingerprint = 6536 CB42 CC17 66D6 B8C6  92B4 F889 8FEF 6CE2 996F
uid   Mozilla Messaging Inc. (Code Signing) <build@mozillamessaging.com>
sub   1024R/0xE950F40067DDABB3 2009-07-15 [expires: 2011-07-15]
sub   1024R/0x061AF0EC46636259 2009-07-15 [expires: 2011-07-15]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXiGbyzKhB4jDpaURAs5uAJ9XiNug2ePC8K99MOoLyoFymFs9PQCfT+oi
V17TWLSfbUbcMH2Lzl5fddA=
=Op5X
-----END PGP SIGNATURE-----
bhearsum on irc suggested:

mail/build/...
From lack of a better suggestion, I am going ahead with bhearsum's suggestion and stick the public GPG keys in mail/build/KEY

This might be eventually used by the release automation stuff, but I mainly want to make sure we have the public keys themselves in comm-central alongside the code first.
Attachment #391665 - Flags: review?(bugzilla)
Attachment #391665 - Flags: review?(bugzilla) → review+
Attachment #391665 - Attachment description: Put public GPG signing keys in [comm-central]/mail/build/KEY → [checked in] Put public GPG signing keys in [comm-central]/mail/build/KEY
Comment on attachment 391665 [details] [diff] [review]
[checked in] Put public GPG signing keys in [comm-central]/mail/build/KEY

changeset:   3199:0e3b947a90c6
tag:         tip
user:        Philippe M. Chiasson <gozer@mozillamessaging.com>
date:        Thu Jul 30 16:30:39 2009 -0400
summary:     Bug 499709. Record our new, GPG public keys for build signing. r=Standard8
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Shouldn't we also have one for security emails (like apple does) - or one like mozilla has for encrypted communication (security@mozilla.com/mozillamessaging.com) ?
(In reply to comment #7)
> Shouldn't we also have one for security emails (like apple does) - or one like
> mozilla has for encrypted communication
> (security@mozilla.com/mozillamessaging.com) ?

Yes, a very good idea indeed!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: