Re: [qemu-web PATCH] Add public key for tarball-signing to download page

["Daniel P. Berrangé" <berrange@redhat.com>]

On Tue, May 03, 2022 at 07:21:29PM -0500, Michael Roth wrote:
> We used to have public keys listed on the SecurityProcess page back
> when it was still part of the wiki, but they are no longer available
> there and some users have asked where to obtain them so they can verify
> the tarball signatures.
> 
> That was probably not a great place for them anyway, so address this by
> adding the public signing key directly to the download page.
> 
> Since a compromised tarball has a high likelyhood of coinciding with a
> compromised host (in general at least), also include some information
> so they can verify the correct signing key via stable tree git tags if
> desired.
> 
> Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> ---
>  _download/source.html | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/_download/source.html b/_download/source.html
> index 8671f4e..c0a55ac 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -23,6 +23,7 @@ make
>  </pre>
>  	{% endfor %}
>  
> +	<p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p>

Line wrap your text at 80 cols please.

Also when downloading the key from that link, it does not contain any
user IDs, which does not fill me with confidence as someone wanting
to verify QEMU releases. Is there a link we can use which has the
user IDs in the key ?

I don't think we need to put the caveat about authenticity in the
last sentance, as that's just needlessly sowing seeds of doubt
IMHO. Lets keep is simple & clearly identify the key owner, so people can
match what they download against what we display, thus:


  <p>Git tags and source tarballs for official QEMU releases are signed by
     the release manager using
     <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">this GPG Public Key</a>:
  </p>

  <pre>
pub   rsa2048/0x3353C9CEF108B584 2013-10-18 [SC]
      Key fingerprint = CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584
uid                    Michael Roth <flukshun@gmail.com>
uid                    Michael Roth <mdroth@utexas.edu>
uid                    Michael Roth <mdroth@linux.vnet.ibm.com>
sub   rsa2048/0x3B0B7D75D7AC684E 2013-10-18 [E]
  </pre>


Might be good to republish your key with updated UID for your AMD email
addr too, so there's an unambiguous connection between the email addr
you use you announce releases on the mailing list and the key used to
sign.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|