[CPR-381] PGP key changed? Created: 2016/09/26  Updated: 2017/12/28  Resolved: 2017/12/28

Status: Closed
Project: Community Package Repository
Component/s: None
Affects Version/s: None
Fix Version/s: 2017/08/02

Type: Bug Priority: Critical
Reporter: Robert Scheer Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:

Error rendering 'issue-templates-customfield'. Please contact your Jira administrators.


 Description   

Hi, your public PGG key in http://apt.puppetlabs.com/pubkey.gpg has changed but I cannot find any confirmation that this is an authorized and valid change. I see no announcement, and all documentation I can find on the website mentions the (short) fingerprint of your previous key: 4BD6EC30.
How do I know I can trust the new contents of that file?



 Comments   
Comment by Melissa Stone [ 2016/09/27 ]

Hello Robert Scheer,

Yes, we've changed out key. We did our best to be as transparent about the process as possible. You can find a detailed description here.

We've also updated out docs site to reference the new key. That page is at https://docs.puppet.com/puppet/4.6/reference/puppet_collections.html#manual-verification.

Let us know if you have further questions

Comment by Robert Scheer [ 2016/09/28 ]

Thank you Melissa Stone. That google (or usenet?) group post is quite hard to find if you don't know or remember that you use that channel for your official announcements. I spent quite some time to find evidence that the change was legit: using google web search I could find no reference to this post. Then I took a step back and tried to find other announcements from puppetlabs, which led me to puppet.com/company/press-room/ , but no reference to pgp-keys.
Then I tried approching puppet.com from the front page trying several path, but none led me to this google/usenet group, not even your site map.
Am I blind or is your announcement-channel really hard to find?

Comment by Michael Stahnke [ 2016/09/28 ]

We have an -announce list where this change was also broadcast. I know it didn't reach everybody. What channels would you recommend we invoke here? We're unsure how to reach all users.

You're also able to verify on pgp.mit.edu

You'll see the new key is signed by several puppet employees who do release engineering tasks

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7F438280EF8D349F

Comment by Robert Scheer [ 2016/09/29 ]

Thanks for the info. I see now that I got no hits in search engines because I was not looking for puppet announce but puppetlabs announce. And it would certainly help to mention your announcement channel (more prominently) on the website.

Generated at Sun Aug 09 23:42:58 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.