[FFmpeg-devel] [RFC] git and signing commits and tags
Lynne
dev at lynne.ee
Tue Aug 9 20:50:13 EEST 2022
Aug 9, 2022, 13:02 by michael at niedermayer.cc:
> On Tue, Aug 09, 2022 at 12:59:52PM +0200, Michael Niedermayer wrote:
>
>> On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
>> > On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
>> > > Aug 8, 2022, 16:50 by michael at niedermayer.cc:
>> > >
>> > > > Given the recent server issues, i wonder if we should suggest/recommand
>> > > > and document signing commits and tags
>> > > >
>> > > > i tried to push such commit to github and it nicely says "verified"
>> > > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
>> > > >
>> > > > Ive generated a new gpg key for this experiment as i dont have my
>> > > > main key on the box used for git development and also using more
>> > > > modern eliptic curve stuff (smaller keys & sigs)
>> > > > i will upload this key to the keyservers in case it becomes the
>> > > > one i use for git.
>> > > >
>> > >
>> > > I sign all of my commits,
>> >
>> > I didnt notice, but thats good as it also proofs it works with no ill
>> > sideeffects
>> >
>> > Where can i find your public key ? it seems its not on the keyservers i checked
>>
>> Your key seems only on openpgp.org but that strips userids unless the owner approves it
>> (i presume for GDPR) making the key not work
>>
>> gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: key A2FEA5F03F034464: no user ID
>> gpg: Total number processed: 1
>>
>> gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: error reading key: No public key
>>
>> gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: keyserver receive failed: No data
>>
>
> found your key with google here:
> https://lynne.ee/extra/A2FEA5F03F034464.asc
>
I just pushed it to keyserver.ubuntu.com, the only still working server
I found, surprisingly. Seems a few months ago sks (a protocol/sever?
to share keys between servers) was deprecated and most servers went
down, and the GDPR also took some out. Sad. There's some work done
to make a new protocol/server apparently.
I'm very sure I pushed my key to the MIT server back when I made it in 2019,
but that server also seems like it's forgotten my key and not accepting it.
I once imported all maintainer keys listed in MAINTAINERS and found many
were revoked (I think compn's), while some used triple DES. The oldest key
I found for a maintainer is actually Nicolas George's key, a triple DES from 2001!
Maybe we should clean up the list of keys.
More information about the ffmpeg-devel
mailing list