Tag v0.5.1 is not verified. #1607

issue richmills3 openend this issue on September 17, 2024
  1. richmills3 commented at 10:48 am on September 17, 2024: none
    As per the title - The git tag for v0.5.1 doesn’t appear to be verified.
  2. real-or-random commented at 12:22 pm on September 17, 2024: contributor

    The git tag for v0.5.1 doesn’t appear to be verified.

    What observation makes you arrive at this conclusion?

  3. real-or-random added the label release on Sep 17, 2024
  4. richmills3 commented at 12:25 pm on September 17, 2024: none

    The git tag for v0.5.1 doesn’t appear to be verified.

    What observation makes you arrive at this conclusion?

    Tags - v0.5.1 Doesn’t have the Verified label.

  5. apoelstra commented at 12:51 pm on September 17, 2024: contributor
    The recent tags, including 0.5.1, appear to be all signed with the same key. This is probably just a Github bug.
  6. real-or-random commented at 12:53 pm on September 17, 2024: contributor

    Okay, indeed. I think this is just an issue with GitHub’s web interface. Try verifying the tag on the command line:

     0> gpg --recv-keys "133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320" # see https://github.com/bitcoin-core/secp256k1/blob/master/SECURITY.md
 1> git tag -v v0.5.1
 2object 642c885b6102725e25623738529895a95addc4f4
 3type commit
 4tag v0.5.1
 5tagger Pieter Wuille <pieter@wuille.net> 1722540592 -0400
 6
 7libsecp256k1 0.5.1
 8[...]
 9gpg: Signature made 2024-08-01T21:29:52 CEST
10gpg:                using RSA key 2840EAABF4BC9F0FFD716AFAFBAFCC46DE2D3FE2
11gpg: Good signature from "Pieter Wuille <pieter@wuille.net>" [full]
12gpg:                 aka "Pieter Wuille <pieter.wuille@gmail.com>" [full]
13[...]

    I guess the reason is that GitHub doesn’t know the most recent revision of @sipa’s public key. Perhaps @sipa can re-upload the key to his GitHub profile.

    For the same reason, GitHub displays some signatures, e.g., the one by @jonasnick on the release commit https://github.com/bitcoin-core/secp256k1/commit/642c885b6102725e25623738529895a95addc4f4 (not release tag) as “Verified” but shows “This commit was signed with the committer’s verified signature. The key has expired.” (emphasis mine). This is just because GitHub doesn’t know @jonasnick’s most recent public key, and it can also be fixed by updating the public key in the GitHub profile. (I had this “issue” before and also happen to have it again after I extended my key recently.)

    edit: I’ve just re-uploaded my key.

  7. richmills3 commented at 1:51 pm on September 17, 2024: none
    Thanks - resolving.
  8. richmills3 closed this on Sep 17, 2024
  9. sipa commented at 2:09 pm on September 17, 2024: contributor
    Thanks for digging into that, @real-or-random. I’ve uploaded an updated GPG key to GitHub, and now the tag does show as “Verified”.


richmills3 real-or-random apoelstra sipa

Labels
release

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 08:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me