Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.1] release: add runc.keyring file #3838

Merged
merged 8 commits into from
Apr 26, 2023
Merged

[1.1] release: add runc.keyring file #3838

merged 8 commits into from
Apr 26, 2023

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Apr 22, 2023

Backport of:

In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with gpg --import so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user, and a new
verification step is added to CI to ensure that the key is actually one
of the keys the user has registered with GitHub (as well as being a
maintainer).

Signed-off-by: Aleksa Sarai [email protected]

cyphar and others added 6 commits April 22, 2023 17:18
In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with "gpg --import" so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user. There isn't
any way for this information to be automatically verified (outside of
using something like keybase.io) but since all changes of this file need
to be approved by maintainers this is okay for now.

Signed-off-by: Aleksa Sarai <[email protected]>
We need to make sure the release is being signed by a key that is
actually listed as a trusted signing key, and we also need to ask the
person cutting the release whether the list of trusted keys is
acceptable.

Also add some verification checks after a release is signed to make sure
everything was signed with the correct keys.

Signed-off-by: Aleksa Sarai <[email protected]>
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.

Signed-off-by: Aleksa Sarai <[email protected]>
keyid 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4

This is the signing key I have used for all previous runc releases. You
can also verify that this is the key trusted by openSUSE for all of our
releases.

Ref: https://keyserver.ubuntu.com/pks/lookup?search=5F36C6C61B5460124A75F5A69E18AA267DDB8DB4&fingerprint=on&op=index
Ref: https://build.opensuse.org/package/view_file/openSUSE:Factory/runc/runc.keyring?expand=1&rev=54
Signed-off-by: Aleksa Sarai <[email protected]>
keyid C9C370B246B09F6DBCFC744C34401015D1D2D386

This is my personal signing key, which I've used to sign the vast
majority of my commits on GitHub. While I usually sign releases using my
<[email protected]> signing key, it doesn't hurt to include this key too.

Ref: https://keyserver.ubuntu.com/pks/lookup?search=C9C370B246B09F6DBCFC744C34401015D1D2D386&fingerprint=on&op=index
Signed-off-by: Aleksa Sarai <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
@cyphar cyphar added the backport/1.1-pr A backport PR to release-1.1 label Apr 22, 2023
@cyphar cyphar marked this pull request as ready for review April 22, 2023 09:02
@kolyshkin
Copy link
Contributor

  1. I was hoping we won't be making any more 1.1 releases, instead concentrating on releasing 1.2.0-rc. Surely this might not be true...
  2. Do we need to maintain runc.keyring in two branches? I mean, we can just refer to https://raw.githubusercontent.com/opencontainers/runc/main/runc.keyring

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Apr 25, 2023

  1. I was hoping we won't be making any more 1.1 releases, instead concentrating on releasing 1.2.0-rc. Surely this might not be true...

Probably we still have to make a couple of 1.1 releases.

  1. Do we need to maintain runc.keyring in two branches?

No

I mean, we can just refer to https://raw.githubusercontent.com/opencontainers/runc/main/runc.keyring

👍

@kolyshkin

This comment was marked as off-topic.

@kolyshkin
Copy link
Contributor

Guess we also need to backport #3840

@cyphar
Copy link
Member Author

cyphar commented Apr 25, 2023

Do we need to maintain runc.keyring in two branches?

I think it would be a good idea because it would mean we'd have runc.keyring in the released tarball for the next 1.1.z release. We won't need to update runc.keyring very regularly, so this is probably going to be a once-off thing (1.2.0+ will get runc.keyring from main).

cyphar and others added 2 commits April 26, 2023 08:02
Add a little bit more diagnostic information to "make validate-keyring".

Signed-off-by: Aleksa Sarai <[email protected]>
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyphar cyphar mentioned this pull request Apr 26, 2023
@kolyshkin kolyshkin added this to the 1.1.7 milestone Apr 26, 2023
@kolyshkin kolyshkin requested a review from AkihiroSuda April 26, 2023 15:21
@AkihiroSuda AkihiroSuda enabled auto-merge April 26, 2023 15:57
@kolyshkin
Copy link
Contributor

@cyphar this needs a rebase

@AkihiroSuda AkihiroSuda merged commit 2648033 into opencontainers:release-1.1 Apr 26, 2023
@kolyshkin
Copy link
Contributor

@cyphar this needs a rebase

(nevermind, I was able to make github merge it)

@cyphar cyphar deleted the 1.1-release-gpgkeys branch May 23, 2023 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.1-pr A backport PR to release-1.1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants