[1.1] release: add runc.keyring file #3838
Merged
Commits on Apr 22, 2023
-
release: add runc.keyring file and script
In order to allow any of the maintainers to cut releases for runc, create a keyring file that distributions can use to verify that releases are signed by one of the maintainers. The format matches the gpg-offline format used by openSUSE packaging, but it can be easily imported with "gpg --import" so any distribution should be able to handle this keyring format wtihout issues. Each key includes the GitHub handle of the associated user. There isn't any way for this information to be automatically verified (outside of using something like keybase.io) but since all changes of this file need to be approved by maintainers this is okay for now. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
scripts: release: add verification checks for signing keys
We need to make sure the release is being signed by a key that is actually listed as a trusted signing key, and we also need to ask the person cutting the release whether the list of trusted keys is acceptable. Also add some verification checks after a release is signed to make sure everything was signed with the correct keys. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are actually the keys of the specified user and that the users themselves are actually maintainers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
keyring: add Aleksa's <asarai@suse.com> signing key
keyid 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4 This is the signing key I have used for all previous runc releases. You can also verify that this is the key trusted by openSUSE for all of our releases. Ref: https://keyserver.ubuntu.com/pks/lookup?search=5F36C6C61B5460124A75F5A69E18AA267DDB8DB4&fingerprint=on&op=index Ref: https://build.opensuse.org/package/view_file/openSUSE:Factory/runc/runc.keyring?expand=1&rev=54 Signed-off-by: Aleksa Sarai <asarai@suse.de>
-
keyring: add Aleksa's <cyphar@cyphar.com> signing key
keyid C9C370B246B09F6DBCFC744C34401015D1D2D386 This is my personal signing key, which I've used to sign the vast majority of my commits on GitHub. While I usually sign releases using my <asarai@suse.de> signing key, it doesn't hurt to include this key too. Ref: https://keyserver.ubuntu.com/pks/lookup?search=C9C370B246B09F6DBCFC744C34401015D1D2D386&fingerprint=on&op=index Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commits on Apr 25, 2023
-
scripts: keyring validate: print some more information
Add a little bit more diagnostic information to "make validate-keyring". Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
runc.keyring: add Akihiro Suda
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.