-
richmills3 commented at 10:48 am on September 17, 2024: noneAs per the title - The git tag for v0.5.1 doesn’t appear to be verified.
-
real-or-random commented at 12:22 pm on September 17, 2024: contributor
The git tag for v0.5.1 doesn’t appear to be verified.
What observation makes you arrive at this conclusion?
-
real-or-random added the label release on Sep 17, 2024
-
richmills3 commented at 12:25 pm on September 17, 2024: none
The git tag for v0.5.1 doesn’t appear to be verified.
What observation makes you arrive at this conclusion?
Tags - v0.5.1 Doesn’t have the Verified label.
-
apoelstra commented at 12:51 pm on September 17, 2024: contributorThe recent tags, including 0.5.1, appear to be all signed with the same key. This is probably just a Github bug.
-
real-or-random commented at 12:53 pm on September 17, 2024: contributor
Okay, indeed. I think this is just an issue with GitHub’s web interface. Try verifying the tag on the command line:
0> gpg --recv-keys "133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320" # see https://github.com/bitcoin-core/secp256k1/blob/master/SECURITY.md 1> git tag -v v0.5.1 2object 642c885b6102725e25623738529895a95addc4f4 3type commit 4tag v0.5.1 5tagger Pieter Wuille <pieter@wuille.net> 1722540592 -0400 6 7libsecp256k1 0.5.1 8[...] 9gpg: Signature made 2024-08-01T21:29:52 CEST 10gpg: using RSA key 2840EAABF4BC9F0FFD716AFAFBAFCC46DE2D3FE2 11gpg: Good signature from "Pieter Wuille <pieter@wuille.net>" [full] 12gpg: aka "Pieter Wuille <pieter.wuille@gmail.com>" [full] 13[...]
I guess the reason is that GitHub doesn’t know the most recent revision of @sipa’s public key. Perhaps @sipa can re-upload the key to his GitHub profile.
For the same reason, GitHub displays some signatures, e.g., the one by @jonasnick on the release commit https://github.com/bitcoin-core/secp256k1/commit/642c885b6102725e25623738529895a95addc4f4 (not release tag) as “Verified” but shows “This commit was signed with the committer’s verified signature. The key has expired.” (emphasis mine). This is just because GitHub doesn’t know @jonasnick’s most recent public key, and it can also be fixed by updating the public key in the GitHub profile. (I had this “issue” before and also happen to have it again after I extended my key recently.)
edit: I’ve just re-uploaded my key.
-
richmills3 commented at 1:51 pm on September 17, 2024: noneThanks - resolving.
-
richmills3 closed this on Sep 17, 2024
-
sipa commented at 2:09 pm on September 17, 2024: contributorThanks for digging into that, @real-or-random. I’ve uploaded an updated GPG key to GitHub, and now the tag does show as “Verified”.
richmills3
real-or-random
apoelstra
sipa
Labels
release
This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 16:15 UTC
More mirrored repositories can be found on mirror.b10c.me