Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are Rocket Pool's PGP keys documented somewhere? #103

Open
Raekye opened this issue Jul 26, 2023 · 0 comments
Open

Are Rocket Pool's PGP keys documented somewhere? #103

Raekye opened this issue Jul 26, 2023 · 0 comments

Comments

@Raekye
Copy link

Raekye commented Jul 26, 2023

Release v1.0.0 includes a PGP key (1):

# curl -L https://github.com/rocket-pool/smartnode-install/releases/download/v1.0.0/smartnode-signing-key.asc | gpg --import-options show-only --import
pub   ed25519/0xC87825790FEE494C 2021-10-01 [SC]
      Key fingerprint = 465E 63FA 396B D193 09D1  E5FE C878 2579 0FEE 494C
      Keygrip = A78FD0D2744F946FF11916F88D2FFA0EE29570FC
uid                              Rocket Pool (Smartnode Signing Key) <[email protected]>

Release v1.4.1 notes that the signing key has been changed:

# curl -L https://github.com/rocket-pool/smartnode-install/releases/download/v1.4.1/smartnode-signing-key-v2.asc | gpg --import-options show-only --import
pub   ed25519/0xA69D503BCDB98CB1 2022-06-01 [SC] [expired: 2023-06-01]
      Key fingerprint = 8F10 7D8C 1248 71D8 C98C  DC91 A69D 503B CDB9 8CB1
      Keygrip = C18AEC7EE7515DB951C4A7723DBAB6DAF374CD56
uid                              Rocket Pool (Smartnode Installation Signing Key v2) <[email protected]>

Shortly after, release v1.4.3 seems to have changed the key again, though I don't think it was announced. Note that the previous key was set to expire in 2023, but v1.4.3 was released on 2022, just a bit over a month after v1.4.1.

# curl -L https://github.com/rocket-pool/smartnode-install/releases/download/v1.4.3/smartnode-signing-key-v3.asc | gpg --import-options show-only --import
pub   nistp256/0xE00CDCDC74B1E3F5 1970-01-01 [SC]
      Key fingerprint = D17F BE7E 12E2 C9DC 21CE  2BC3 E00C DCDC 74B1 E3F5
      Keygrip = E10252EC650D7F6E48E11E3FEBF0A88E6A39816A
uid                              Joe Clapis <[email protected]>
sub   nistp256/0x754769E8F0A9ECF4 1970-01-01 [E]
      Keygrip = 2561044DFDCF2022F468657DC12EE501859F2919

This "v3" key is the most recent key as far as I can tell; it has been used up until and including the most recent release (v1.10.0).

I think it would be helpful to document the current signing key somewhere on the website or git repository. For example, Geth lists their PGP keys on the download page of their website, and Lighthouse lists their PGP key in the README of their repository.

Additionally, I think it would be nice if the previous keys were documented for historical transparency. For example, why was "v2" added? Did the original key get compromised? Why was "v2" replaced so quickly, and without announcement? Why does the user ID of the current key refer to one developer (Joe Clapis <[email protected]>) as opposed to Rocket Pool (Smartnode Installation Signing Key v2) <[email protected]> and Rocket Pool (Smartnode Signing Key) <[email protected]> in the previous keys (2)?

(1): I believe the key was first published with v1.0.0 prerelease 4. Prerelease 3 published signatures but I don't think it included the signing key. I don't believe any prior releases were signed.

(2): Having lurked on the discord for a while, I recognize Joe Clapis (pretty sure he's personally answered my questions before 😅 ) and I trust the key. However, I still think it would be better practice to have an "official reference" for the active (and past) PGP keys.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Raekye