WIP contrib: Add keys.openpgp.org as backup server #18385

pull MarcoFalke wants to merge 1 commits into bitcoin:master from MarcoFalke:2003-contribPGPBackupServer changing 3 files +11 −4
  1. MarcoFalke commented at 7:18 PM on March 19, 2020: member

    Due to DOS attacks, most keyservers are read-only or have strict upload limits. I can no longer upload my key to SKS keyservers. See also https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#executive-summary

    The keyservers only have an outdated key of mine, so all gpg --verify checks will fail. For example, in the travis sanity check: https://travis-ci.org/github/bitcoin/bitcoin/builds/664176384

    Fix this by switching to keys.openpgp.org as backup.

  2. contrib: Add keys.openpgp.org as backup server fa3a0fcd09
  3. in ci/lint/06_script.sh:25 in fa3a0fcd09 
      20 | @@ -21,6 +21,7 @@ test/lint/lint-all.sh
  21 |  
  22 |  if [ "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" ] && [ "$TRAVIS_EVENT_TYPE" = "cron" ]; then
  23 |      git log --merges --before="2 days ago" -1 --format='%H' > ./contrib/verify-commits/trusted-sha512-root-commit
  24 | -    travis_retry gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $(<contrib/verify-commits/trusted-keys) &&
  25 | +    ${CI_RETRY_EXE} gpg --keyserver hkps://keys.openpgp.org    --recv-keys $(<contrib/verify-commits/trusted-keys) &&
  26 | +    ${CI_RETRY_EXE} gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys $(<contrib/verify-commits/trusted-keys) &&
    emilengler commented at 7:19 PM on March 19, 2020:

    Why not put the key servers into an array and loop through it until it finds keys. Maybe it's a bit too much for this PR but if we add more backup servers from time to time it'll get useful

  4. in ci/lint/06_script.sh:24 in fa3a0fcd09 
      20 | @@ -21,6 +21,7 @@ test/lint/lint-all.sh
  21 |  
  22 |  if [ "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" ] && [ "$TRAVIS_EVENT_TYPE" = "cron" ]; then
  23 |      git log --merges --before="2 days ago" -1 --format='%H' > ./contrib/verify-commits/trusted-sha512-root-commit
  24 | -    travis_retry gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $(<contrib/verify-commits/trusted-keys) &&
  25 | +    ${CI_RETRY_EXE} gpg --keyserver hkps://keys.openpgp.org    --recv-keys $(<contrib/verify-commits/trusted-keys) &&
    emilengler commented at 7:21 PM on March 19, 2020:

    You aren't adding it as a backup server, you make ubuntu a backup server

  5. jonatack commented at 7:33 PM on March 19, 2020: member

    Concept ACK

  6. emilengler commented at 7:38 PM on March 19, 2020: contributor

    Concept ACK on adding it as a backup server but I would leave Ubuntu as number 1 like it already is otherwise the PR title is wrong

  7. MarcoFalke commented at 7:49 PM on March 19, 2020: member

    If someone has an alternative that is:

    • running stable
    • where I (and every other Bitcoin Core contributor) can upload their key

    Please let me know

  8. DrahtBot added the label Build system on Mar 19, 2020
  9. DrahtBot added the label Docs on Mar 19, 2020
  10. DrahtBot added the label Scripts and tools on Mar 19, 2020
  11. MarcoFalke commented at 9:23 PM on March 19, 2020: member

    Could someone please run this locally. I fail to see which key is expired:

    $ gpg --fingerprint --fingerprint   marco
pub   rsa4096 2015-12-14 [SC]
      B8B3 F1C0 E58C 15DB 6A81  D30C 3648 A882 F431 6B9B
...
sub   rsa2048 2015-12-14 [S] [expires: 2020-09-09]
      FE09 B823 E6D8 3A3B C798  3EAA 2D7F 2372 E50F E137
...



$ git log --show-signature b860915f8b0dae98e57a254d11575ea41f5c5a79 
commit b860915f8b0dae98e57a254d11575ea41f5c5a79
gpg: Signature made Fri 10 Feb 2017 12:02:56 PM EST
gpg:                using RSA key 2D7F2372E50FE137
gpg: Good signature from "Marco Falke <marco.falke@tum.de>" [unknown]
gpg:                 aka "Marco Falke <falke.marco@gmail.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: B8B3 F1C0 E58C 15DB 6A81  D30C 3648 A882 F431 6B9B
     Subkey fingerprint: FE09 B823 E6D8 3A3B C798  3EAA 2D7F 2372 E50F E137
Merge: 2447c1024e 9db8eecac1

    <!-- This is the merge function of the ubuntu keyserver: https://github.com/hockeypuck/hockeypuck/blame/d43a9d714d03a1ac9c542efb05d7251f5d7f8542/src/hockeypuck/openpgp/resolve.go#L108 For some reason I had to create a new subkey to get my key to merge and yield a different hash, thus get updated. Huh :man_shrugging: I guess this is solved.

  12. laanwj commented at 3:49 PM on March 20, 2020: member 
    $ gpg --fingerprint --fingerprint   marco
pub   rsa4096/0x3648A882F4316B9B 2015-12-14 [SC]
      Key fingerprint = B8B3 F1C0 E58C 15DB 6A81  D30C 3648 A882 F431 6B9B
uid                   [  full  ] Marco Falke <marco.falke@tum.de>
uid                   [  full  ] Marco Falke <falke.marco@gmail.com>

git log --show-signature b860915f8b0dae98e57a254d11575ea41f5c5a79 
commit b860915f8b0dae98e57a254d11575ea41f5c5a79
gpg: Signature made Fri 10 Feb 2017 06:02:56 PM CET
gpg:                using RSA key 2D7F2372E50FE137
gpg: Good signature from "Marco Falke <marco.falke@tum.de>" [full]
gpg:                 aka "Marco Falke <falke.marco@gmail.com>" [full]
gpg: Note: This key has expired!
Primary key fingerprint: B8B3 F1C0 E58C 15DB 6A81  D30C 3648 A882 F431 6B9B
     Subkey fingerprint: FE09 B823 E6D8 3A3B C798  3EAA 2D7F 2372 E50F E137
  13. MarcoFalke commented at 4:11 PM on March 20, 2020: member

    Oh, does it not show the subkey FE09 B823 E6D8 3A3B C798 3EAA 2D7F 2372 E50F E137? I think I used that key to sign commits back then.

  14. laanwj commented at 8:11 AM on March 21, 2020: member

    I got into a fight with gpg yesterday and was unable to list keys, had to rebuild my public keyring. Anyhow it shows the following keys:

    pub   rsa4096/0x3648A882F4316B9B 2015-12-14 [SC]
      Key fingerprint = B8B3 F1C0 E58C 15DB 6A81  D30C 3648 A882 F431 6B9B
uid                   [ unknown] Marco Falke <marco.falke@tum.de>
uid                   [ unknown] Marco Falke <falke.marco@gmail.com>
sub   rsa2048/0x6DF9EDF1F6B61B9A 2015-12-14 [E] [expires: 2020-09-09]
      Key fingerprint = B6C7 2B4A 758C C29B 483E  82C7 6DF9 EDF1 F6B6 1B9A
sub   rsa2048/0x2D7F2372E50FE137 2015-12-14 [S] [expires: 2020-09-09]
      Key fingerprint = FE09 B823 E6D8 3A3B C798  3EAA 2D7F 2372 E50F E137
sub   rsa4096/0xD2EA4850E7528B25 2017-03-01 [S] [expires: 2020-09-09]
      Key fingerprint = 60B0 B8A4 02FB 386B 24A0  39AC D2EA 4850 E752 8B25
sub   rsa3072/0xCE2B75697E69A548 2018-01-23 [S] [expires: 2020-09-09]
      Key fingerprint = FAB5 4FA1 46A1 AC8F 6C2C  6613 CE2B 7569 7E69 A548

    So yes — it's lacking that subkey. Eh no, it isn't, sorry, it's the second one.

          Key fingerprint = FE09 B823 E6D8 3A3B C798  3EAA 2D7F 2372 E50F E137
  15. laanwj commented at 8:26 AM on March 21, 2020: member

    Anyhow we should probably merge this as it gets travis to pass again. (though travis is down at the moment) ACK fa3a0fcd094b934377ad88242d1a4d1e6c03d6f4

  16. MarcoFalke commented at 1:13 PM on March 21, 2020: member

    Eh no, it isn't, sorry, it's the second one.

    Right, and it is not expired. That problem seems to be a problem completely unrelated to keyservers.

  17. MarcoFalke renamed this:
    contrib: Add keys.openpgp.org as backup server
    WIP contrib: Add keys.openpgp.org as backup server
    on Mar 21, 2020
  18. MarcoFalke added the label Needs Guix build on Apr 22, 2020
  19. MarcoFalke removed the label Needs Guix build on Apr 25, 2020
  20. MarcoFalke added the label Needs gitian build on Apr 28, 2020
  21. MarcoFalke removed the label Needs gitian build on Apr 29, 2020
  22. MarcoFalke marked this as a draft on Apr 29, 2020
  23. MarcoFalke added the label Needs gitian build on Apr 29, 2020
  24. MarcoFalke removed the label Needs gitian build on Apr 29, 2020
  25. MarcoFalke added the label Needs Guix build on Apr 29, 2020
  26. MarcoFalke removed the label Needs Guix build on Apr 29, 2020
  27. MarcoFalke closed this on May 7, 2020
  28. MarcoFalke deleted the branch on May 7, 2020
  29. DrahtBot locked this on Feb 15, 2022
Contributors
MarcoFalkeemilenglerjonatacklaanwj
Labels
DocsBuild systemScripts and tools
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 21:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me