[FFmpeg-devel] [RFC] git and signing commits and tags

Michael Niedermayer michael at niedermayer.cc
Tue Aug 9 22:32:39 EEST 2022


On Tue, Aug 09, 2022 at 07:50:13PM +0200, Lynne wrote:
> Aug 9, 2022, 13:02 by michael at niedermayer.cc:
> 
> > On Tue, Aug 09, 2022 at 12:59:52PM +0200, Michael Niedermayer wrote:
> >
> >> On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
> >> > On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> >> > > Aug 8, 2022, 16:50 by michael at niedermayer.cc:
> >> > > 
> >> > > > Given the recent server issues, i wonder if we should suggest/recommand
> >> > > > and document signing commits and tags
> >> > > >
> >> > > > i tried to push such commit to github and it nicely says "verified"
> >> > > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> >> > > >
> >> > > > Ive generated a new gpg key for this experiment as i dont have my
> >> > > > main key on the box used for git development and also using more
> >> > > > modern eliptic curve stuff (smaller keys & sigs)
> >> > > > i will upload this key to the keyservers in case it becomes the
> >> > > > one i use for git.
> >> > > >
> >> > > 
> >> > > I sign all of my commits, 
> >> > 
> >> > I didnt notice, but thats good as it also proofs it works with no ill
> >> > sideeffects
> >> > 
> >> > Where can i find your public key ? it seems its not on the keyservers i checked
> >>
> >> Your key seems only on openpgp.org but that strips userids unless the owner approves it 
> >> (i presume for GDPR) making the key not work
> >>
> >> gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: key A2FEA5F03F034464: no user ID
> >> gpg: Total number processed: 1
> >>
> >> gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: error reading key: No public key
> >>
> >> gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: keyserver receive failed: No data
> >>
> >
> > found your key with google here:
> > https://lynne.ee/extra/A2FEA5F03F034464.asc
> >
> 
> I just pushed it to keyserver.ubuntu.com, the only still working server
> I found, surprisingly. Seems a few months ago sks (a protocol/sever?
> to share keys between servers) was deprecated and most servers went
> down, and the GDPR also took some out. Sad. There's some work done
> to make a new protocol/server apparently.
> I'm very sure I pushed my key to the MIT server back when I made it in 2019,
> but that server also seems like it's forgotten my key and not accepting it.

yes, i was also scratching my head yesterday about this keyserver apocalypse
the script below was what i ended up writing but iam not sure its usefull

#!/bin/bash
gpg --keyserver hkps://pgp.mit.edu          --recv-keys $* &
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $* &
gpg --keyserver hkps://keys.openpgp.org     --recv-keys $* &
gpg --keyserver hkps://keys.gnupg.net       --recv-keys $* &
gpg --keyserver hkps://keyserver.pgp.com    --recv-keys $* &



> 
> I once imported all maintainer keys listed in MAINTAINERS and found many
> were revoked (I think compn's), while some used triple DES. The oldest key
> I found for a maintainer is actually Nicolas George's key, a triple DES from 2001!

> Maybe we should clean up the list of keys.

yes

maybe we also should collect the full public keys and not just the hashes
this list of hashes came from a time where obtaining a key from a hash
was trivial

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220809/0a5b8049/attachment.sig>


More information about the ffmpeg-devel mailing list