Broad updates to keys to their latest available versions from keys.openpgp.org

[canterberry]

Depends on #5.

In this changeset, I use the following script...

KEY_IDS="$(xargs < keys.list)"

GNUPGHOME=gpg gpg --keyserver keys.openpgp.org --receive-keys ${KEY_IDS}

for KEY_ID in ${KEY_IDS}; do
  if [ -n "${KEY_ID}" ]; then
    GNUPGHOME=gpg gpg --export --armor "${KEY_ID}" > "keys/${KEY_ID}.asc"
  fi
done

...to pull the latest keys from keys.openpgp.org, as of 2021-06-28.

The resulting output is as follows:

gpg: key D3A89613643B6201: "Danielle Adams <[email protected]>" not changed
gpg: key 7D33FF9D0246406D: "Timothy J Fontaine (Personal) <[email protected]>" not changed
gpg: key 50A3051F888C628D: "Julien Gilli <[email protected]>" not changed
gpg: key 23EFEFE93C4CFFFE: "Italo A. Casas <[email protected]>" not changed
gpg: key B0A78B0A6C481CF6: "isaacs (http://blog.izs.me/) <[email protected]>" not changed
gpg: key 6D5A82AC7E37093B: "Christopher Dickinson <[email protected]>" not changed
gpg: key 97B01419BD92F80A: "Ruy Adorno <[email protected]>" not changed
gpg: key F13993A75599653C: "Shelley Vohr (security is major key) <[email protected]>" not changed
gpg: key F07496B3EB3C1762: "Ruben Bridgewater <[email protected]>" not changed
gpg: key C273792F7D83545D: "Rod Vagg <[email protected]>" not changed
gpg: key C43CEC45C17AB93C: "Richard Lau <[email protected]>" 1 new user ID
gpg: key C43CEC45C17AB93C: "Richard Lau <[email protected]>" 1 new signature
gpg: key E73BC641CC11F4C8: "Myles Borins <[email protected]>" 1 new user ID
gpg: key E73BC641CC11F4C8: "Myles Borins <[email protected]>" 1 new signature
gpg: key 770F7A9A5AE15600: "Michaël Zasso (Targos) <[email protected]>" not changed
gpg: key 09FE44734EB7990E: "Jeremiah Senkpiel <[email protected]>" not changed
gpg: key C97EC7A07EDE3FC1: "keybase.io/jasnell <[email protected]>" not changed
gpg: key B01FBB92821C587A: "Gibson Fahnestock <[email protected]>" not changed
gpg: key B63B535A4C206CA9: "Evan Lucas <[email protected]>" 1 new user ID
gpg: key B63B535A4C206CA9: "Evan Lucas <[email protected]>" 4 new signatures
gpg: key 92EF661D867B9DFA: "danielleadams <[email protected]>" revocation certificate added
gpg: key 92EF661D867B9DFA: "danielleadams <[email protected]>" 1 new signature
gpg: key 7434390BDBE9B9C5: "Colin Ihrig <[email protected]>" not changed
gpg: key D7062848A1AB005C: "Beth Griggs <[email protected]>" 1 new user ID
gpg: key D7062848A1AB005C: "Beth Griggs <[email protected]>" 8 new signatures
gpg: Total number processed: 20
gpg:              unchanged: 15
gpg:           new user IDs: 4
gpg:         new signatures: 15

I then committed the resulting changes, omitting gpg/pubring.kbx~, which should probably be added to .gitignore.

[canterberry]

Each person I've requested to review this PR has a key that has been updated in this changeset. I wasn't able to tag Evan Lucas for review, although there are some changes for Evan as well.

[BethGriggs]

@canterberry, I'm not entirely sure what and how I can verify this - is that the ask here?

I assumed it would be a case of comparing my key in this PR with the ASCII armored output I get locally and from https://keys.openpgp.org/, but they all differ. After that, I tried a comparison with gpg --export --armor <KEY> | gpg --list-packets --verbose, but they also differ for me. I'm not entirely sure if that is because my key is out of sync somewhere or I'm just comparing/validating the wrong things.

Any guidance would be appreciated, i'm a noob at GPG.

[canterberry]

@BethGriggs Thanks for taking a look at this so quickly, and I apologize for not being on top of things yesterday and only just now following up.

Here is what keys.openpgp.org has for your key: https://keys.openpgp.org/vks/v1/by-fingerprint/4ED778F539E3634C779C87C6D7062848A1AB005C

• If that does not match what you get from running gpg --export --armor 4ED778F539E3634C779C87C6D7062848A1AB005C locally, then could you copy/paste the correct public key in a comment on this MR? Then I'll update this MR with that key and you can review to ensure it is correct.

• If that link does match what you expect, but isn't what you see in this PR's changeset, then I may have mucked something up and I'll investigate and fix it right away.

I'm thinking that going forward, if this repo is to be the source of truth for release keys, part of the release team onboarding/offboarding process will involve updating this repo, and I'm happy to help put together scripts/processes to assist in that, as well as easy ways to verify changes or automate some of this.

[canterberry]

I've done some research on what is and isn't on keys.openpgp.org, and I'm seeing that is not a reliable source of truth for the current set of release team keys. Thus, a better path forward might be to have a script for a release team member to run to update this repo with any key used for signing prior or future Node.js releases (instead of me hunting for them on an unreliable third party keyserver).

[canterberry]

Created #8 to provide a self-service option for release team members to add their own signing keys to this repo.
cc @BethGriggs Assigned you for review of that one, and if it looks good to you, I think I'll close this PR in favor of having you, Richard, et al run the script to update your own keys with the appropriate values. That would eliminate dependencies on myself or third-party key servers, and establish a transparent, verifiable path for updating this repo.

[targos]

ping @BethGriggs

[canterberry]

Superceded. Closing.