Upload the release-signing key to keybase.io #12730

issue mcdallas opened this issue on March 19, 2018
  1. mcdallas commented at 11:44 PM on March 19, 2018: none

    Might be a good idea to upload the release-signing key to keybase.

    Keybase allows you to link github accounts/domains to a public key in a way that anyone can verify that the owner of the key is the owner of the repo/domain and you don't have to rely on the web of trust.

  2. fanquake added the label Brainstorming on Mar 20, 2018
  3. eklitzke commented at 6:37 AM on March 22, 2018: contributor

    and you don't have to rely on the web of trust.

    So what would you be relying on instead?

  4. mcdallas commented at 9:33 AM on March 22, 2018: none

    So what would you be relying on instead?

    You can verify yourself that the owner of the key is the owner of the domain/github account by checking the signed proofs they posted in these accounts. You don't have to trust someone else to certify that the public key is owned by that person.

    Example: I can be sure that the owner of that key is also the owner of gpgtools.org and GPGTools twitter account because they have posted said proofs here and here

  5. achow101 commented at 5:04 PM on March 22, 2018: member

    IMO keybase does not provide any usefulness for us regarding the release key. Signed proofs can be done without keybase, and the release key isn't even used on social media platforms so signed proofs for such accounts are pointless. Furthermore, the release key is not Wladimir's personal PGP key so it doesn't even have social media accounts to be associated with (such accounts should be associated with Wladimir's personal PGP key). The release key is used solely in releases which are published on a mailing list and for the signed hashes file. The fact that the release key has been used before to sign emails from Wladimir's email address is enough proof that he owns the private key.

  6. MarcoFalke commented at 7:33 PM on March 22, 2018: member

    Git commits and tags are signed, so you can already check that the fingerprint was signed by a bunch of people (including the maintainers of the project)

    https://github.com/bitcoin/bitcoin/blame/185d48473e439743d68ede0208738f3a3e48bbce/contrib/verifybinaries/README.md#L10

  7. laanwj commented at 4:15 PM on March 27, 2018: member

    Not sure about this. If people think this actually helps security, I'm willing to do it. But if it encourages a lazy way of working where users trust keybase.io instead of verifying, it would do the opposite.

  8. eklitzke commented at 2:20 AM on March 28, 2018: contributor

    To be honest I'm not really sure how this would work. I put a GitHub attestation on my Keybase account last year, which you can see here: https://gist.github.com/eklitzke/abf27489e0020bd5ff8d75fe2b9465c4

    The idea is you put up a gist, and then the gist is signed with information proving that you own the gist. That's proves that the person who has the key on keybase also owns that GitHub account. There isn't a bitcoin GitHub user account as far as I know. I don't think projects can upload gists, only users (correct me if I'm mistaken).

    You could put up an attestation of the key on bitcoin-core.org but I'm not really sure how that's better than just putting the key itself on bitcoin-core.org.

  9. laanwj commented at 10:14 AM on May 8, 2020: member

    I'm closing this. Keybase was acquired (or aqui-hired) by Zoom, it's unlikely to survive very long.

    And apart from that this issue has been dormant for years.

  10. laanwj closed this on May 8, 2020
  11. DrahtBot locked this on Feb 15, 2022
Contributors
mcdallaseklitzkeachow101MarcoFalkelaanwj
Labels
Brainstorming
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 21:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me