[MDBF-260] git release tags are not signed Created: 2021-08-04  Updated: 2022-02-01

Status: Closed
Project: MariaDB Foundation Development
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Otto Kekäläinen Assignee: Daniel Bartholomew
Resolution: Unresolved Votes: 0
Labels: Security, security
Remaining Estimate: 0d
Time Spent: 0.25d
Original Estimate: Not Specified


 Description   

It seems that the git tags used to tag MariaDB Server releases are not signed.

For example the recent mariadb-10.6.3 tag by serg and mariadb-10.4.20 by marko don't seem to be signed.

Compare:

noformat
$ git tag -v mariadb-10.5.11
error: mariadb-10.5.11: cannot verify a non-tag object of type commit.
noformat
(from: https://github.com/MariaDB/server/releases/tag/mariadb-10.5.11)

noformat
$ git tag -v debian/1%10.5.11-1
object 916d02055c70372621c463043387e1367e20cb12
type commit
tag debian/1%10.5.11-1
tagger Otto Kekäläinen <otto@debian.org>
noformat
(from: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/tags/debian%2F1%2510.5.11-1)

Signing can be done by adding `-s` to `git tag -s mariadb-10.5.12` when tagging. You could use the same GPG key to sign the tags as is used to sign the tar.gz source releases.

For details see:

 Comments   
Comment by Marko Mäkelä [ 2021-08-04 ]

For what it is worth, I do not remember ever creating any tag in any Git repository. I have understood that dbart normally creates tags as part of the release process.

Comment by Otto Kekäläinen [ 2021-08-07 ]

The latest tags are now signed, but with Daniel's personal key which does not seem to be published on the usual keyservers, so it normal users can't verify these tags:

$ git tag -v mariadb-10.6.4
 
object 2db692f5b4d6bb31a331dab44544171c455f6aca
 
type commit
 
tag mariadb-10.6.4
 
tagger Daniel Bartholomew <db@dbart.us> 1628174514 -0400
 
 
 
MariaDB 10.6.4
 
gpg: Signature made to  5. elokuuta 2021 07.42.08 PDT
 
gpg:                using RSA key 3B3C906311191ABF515055D49171189995E45A9E
 
gpg:                from "Daniel Bartholomew <daniel@dbart.us>" [unknown]
 
gpg:                 aka "Daniel Bartholomew (personal gpg key) <dbart@dbart.us>" [unknown]
 
Primary key fingerprint: 3B3C 9063 1119 1ABF 5150  55D4 9171 1899 95E4 5A9E

Comment by Daniel Bartholomew [ 2021-08-09 ]

Yes, for this round of releases I added the following to my ~/.gitconfig:

[tag]
 
  gpgsign = true

...so it used my personal gpg key, the same that I use to sign commits. I will add signingkey = F1656F24C74CD1D8 to that section of the config so that the same signing-key@mariadb.org key that I use to sign Debian/Ubuntu repositories is used for future tags.

As far as publishing my personal key goes, I thought it was published to at least keyserver.ubuntu.com. If there are other "usual" keyservers I should publish it to, please let me know. I published it again just now.

As an aside, I used to have gpg configured to sync with the pool of servers at sks-keyservers.net, but that service seems to have shut down. Are there any replacement pools?

Comment by Daniel Bartholomew [ 2021-08-09 ]

Actually, to properly sign the tag I need to specify it on the command-line, e.g.:

git tag -u ${key_id} ${tag_name} ${commit_hash}

(Putting this here for future me)

Comment by Otto Kekäläinen [ 2021-08-11 ]

Thanks for looking into it.

This is what I got originally:

$ git tag -v mariadb-10.5.12
 
object b5569b62408375f35e2fe851158a7ff17e378ed1
 
type commit
 
tag mariadb-10.5.12
 
tagger Daniel Bartholomew <db@dbart.us> 1628173022 -0400
 
 
 
MariaDB 10.5.12
 
gpg: Signature made Thu  5 Aug 07:17:14 2021 PDT
 
gpg:                using RSA key 3B3C906311191ABF515055D49171189995E45A9E
 
gpg: Can’t check signature: No public key

Now I get:

$ git tag -v mariadb-10.5.12
 
object b5569b62408375f35e2fe851158a7ff17e378ed1
 
type commit
 
tag mariadb-10.5.12
 
tagger Daniel Bartholomew <db@dbart.us> 1628173022 -0400
 
 
 
MariaDB 10.5.12
 
gpg: Signature made to  5. elokuuta 2021 07.17.14 PDT
 
gpg:                using RSA key 3B3C906311191ABF515055D49171189995E45A9E
 
gpg: Good signature from "Daniel Bartholomew (personal gpg key) <db@dbart.us>" [unknown]
 
gpg:                 aka "Daniel Bartholomew <daniel@dbart.us>" [unknown]
 
gpg:                 aka "Daniel Bartholomew (personal gpg key) <dbart@dbart.us>" [unknown]
 
gpg: WARNING: This key is not certified with a trusted signature!
 
gpg:          There is no indication that the signature belongs to the owner.
 
Primary key fingerprint: 3B3C 9063 1119 1ABF 5150  55D4 9171 1899 95E4 5A9E

And your key is now visible at https://keyserver.ubuntu.com/pks/lookup?search=0x9171189995E45A9E&fingerprint=on&op=index

Comment by Daniel Bartholomew [ 2021-08-11 ]

It won't be the signature I use for future tag signing, but good that it at least now shows up. Thanks.

Generated at Thu Feb 08 03:36:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.