gpgkeys.txt is broken

mms

New Member

Reaction score: 3
Messages: 18

Code:
$ gpg --allow-non-selfsigned-uid --no-default-keyring --keyring /tmp/tmp.s7YEIIZX --import /tmp/tmp.oVtOGme1
...
gpg: invalid armor header: mQINBF+5ojQBEADSqQjD4h1lOwAGgmz4dK0Zf4JkoJCpQ7jw2B5jigNySdKf1rQN\n                                                                 
gpg: CRC error; DDCBB0 - 42D3D7                                                                                                                               
gpg: [don't know]: invalid packet (ctb=48)                                                                                                                     
gpg: read_block: read error: invalid packet                                                                                                                   
gpg: import from `/tmp/tmp.oVtOGme1' failed: invalid keyring                                                                                                   
gpg: Total number processed: 263                                                                                                                               
gpg:               imported: 263  (RSA: 166)                                                                                                                   
gpg: no ultimately trusted keys found

The problem is a missing empty line before mQINBF+5ojQBEADSqQjD4h1lOwAGgmz4dK0Zf4JkoJCpQ7jw2B5jigNySdKf1rQN (currently at line 49955).

Please fix this asap, we are relying on that file for automated release ISO signature validation.


As a side note, the hosting of that file is also sort of broken. The download breaks frequently like in the following example (from today):
Code:
$ fetch -o /tmp/tmp.oVtOGme1 -- 'https://docs.freebsd.org/pgpkeys/pgpkeys.txt'                                            
/tmp/tmp.oVtOGme1                              87% of 5481 kB 1259 kBps    04s                                                                                 
fetch: /tmp/tmp.oVtOGme1 appears to be truncated: 4905771/5612792 bytes

As another side note: Why are you not using some sane key to sign the releases (like the security officer key) that would allow you to validate an ISO without trusting a couple hundred keys (or jumping through yet another set of hoops for extracting that very particular key)? And while we are at it: why isn't there a sane and well documented process for this (I'm not even talking tools...)? After all, we have the year 2021. I would expect something that doesn't feel homegrown and severly outdated. And I certainly don't want to download and validate some release ISO to get hold of a trustworthy MANIFEST just to validate a base.txz.

It also doesn't help that the checksum files and the keyring are renamed and moved at will on the website without any notice. This way you also break the processes other people build in lack of an official one. At least give us an HTTP redirect!
 

mark_j

Daemon

Reaction score: 715
Messages: 1,242

This is a forum for mainly end-users and some developers.
You need to file an appropriate pr with the port maintainer of gpg, not here.
Complaints about signing need to go to the security officer; see the mailing list(s).
 
OP
M

mms

New Member

Reaction score: 3
Messages: 18

This is a forum for mainly end-users and some developers.
You need to file an appropriate pr with the port maintainer of gpg, not here.
Complaints about signing need to go to the security officer; see the mailing list(s).
It's not about gpg, it's about a file on the project website.

Thanks SirDice, you are right. I've filed a bug: PR 257783

However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,342
Messages: 38,859

However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.
This is also not the place to do that. There are very few developers or maintainers on the forums, so there are very few people around that could do anything about it. This board is run by users for users. You can find the developers and maintainers on the various mailing lists.
 
OP
M

mms

New Member

Reaction score: 3
Messages: 18

Been there, done that: PR 222044

At which point is it safe to assume that no one cares?
 

mark_j

Daemon

Reaction score: 715
Messages: 1,242

It's not about gpg, it's about a file on the project website.

Thanks SirDice, you are right. I've filed a bug: PR 257783

However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.
And you've got a reply to your pr showing it's best to keep your rant (your words) addressed to the people who can make the changes.
 
OP
M

mms

New Member

Reaction score: 3
Messages: 18

This is true, but I've also got another PR that shows that the issue for my rant (the other side note) is not reaching an interested audience on that channel either.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,342
Messages: 38,859

Providing an objective description of issues and problems usually works a lot better. Leave your emotions out of it. I understand things can be frustrating but ranting never helps getting things done.
 
Top