How can I get my hands on your PGP public key(s)?

[drivera-armedia]

For Apache stuff, for instance, they plainly make available the developer's public key. For your artifacts we can use --auto-key-retrieve, but we still can't verify authenticity/trust/etc.

Where can we get your public key(s) from? They don't seem to be available in the MIT keyserver. This is important for container construction and artifact verification.

Without that key we can verify integrity (sha256) but not authenticity (asc).

Thanks!

[dhoard]

@drivera-armedia I have published my public key to keys.openpgp.org.

gpg --keyserver hkps://keys.openpgp.org --recv-keys 90E3CDDECF99D81C0309D74CCADDBDF51122242E
gpg: key CADDBDF51122242E: "Doug Hoard <doug.hoard@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

[dhoard]

@drivera-armedia, were you able to receive my GPG key?

[drivera-armedia]

Yes, but is this the key that will always be used to sign the artifact?

The goal is to have an automated build that can download and validate the artifact as per the published signature. This means that the build has to pull the key each time to figure it out. If tomorrow someone else's key will be needed, without warning, this will cause the build to fail b/c it won't be using the correct key to validate the artifact.

The "Apache way" is to publish the key to a known location and keep it there. If the key changes, they update that file to include the new key(s) in addition to any old ones that may be needed. Thus, by downloading that file and validating against the keys within, one will always be able to ensure the artifact is correct.

Trust in the keys is "a different issue" ... and, well, there are compromises to be made 😄

So yes - I could get your key ... but if that key may change tomorrow, I'll be back to square one.

Thoughts?

[dhoard]

@drivera-armedia I can add my key to the repository.

The issue is that we don't have a shared signing key. If I do the release (most likely), it will be my key. If another maintainer does the release, it will be their key.