[CPR-381] PGP key changed? Created: 2016/09/26 Updated: 2017/12/28 Resolved: 2017/12/28
|Project:||Community Package Repository|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Hi, your public PGG key in http://apt.puppetlabs.com/pubkey.gpg has changed but I cannot find any confirmation that this is an authorized and valid change. I see no announcement, and all documentation I can find on the website mentions the (short) fingerprint of your previous key: 4BD6EC30.
|Comment by Melissa Stone [ 2016/09/27 ]|
Hello Robert Scheer,
Yes, we've changed out key. We did our best to be as transparent about the process as possible. You can find a detailed description here.
We've also updated out docs site to reference the new key. That page is at https://docs.puppet.com/puppet/4.6/reference/puppet_collections.html#manual-verification.
Let us know if you have further questions
|Comment by Robert Scheer [ 2016/09/28 ]|
Thank you Melissa Stone. That google (or usenet?) group post is quite hard to find if you don't know or remember that you use that channel for your official announcements. I spent quite some time to find evidence that the change was legit: using google web search I could find no reference to this post. Then I took a step back and tried to find other announcements from puppetlabs, which led me to puppet.com/company/press-room/ , but no reference to pgp-keys.
|Comment by Michael Stahnke [ 2016/09/28 ]|
We have an -announce list where this change was also broadcast. I know it didn't reach everybody. What channels would you recommend we invoke here? We're unsure how to reach all users.
You're also able to verify on pgp.mit.edu
You'll see the new key is signed by several puppet employees who do release engineering tasks
|Comment by Robert Scheer [ 2016/09/29 ]|
Thanks for the info. I see now that I got no hits in search engines because I was not looking for puppet announce but puppetlabs announce. And it would certainly help to mention your announcement channel (more prominently) on the website.