xplr: PGP signatures could not be verified for 0.20.0 releases
Repro script:
#!/usr/bin/env bash
set -eux
REPO_URL="https://github.com/sayanarijit/xplr"
wget -qO source.tar.gz.asc "$REPO_URL/releases/download/v$1/source.tar.gz.asc"
wget -qO source.tar.gz "$REPO_URL/archive/refs/tags/v$1.tar.gz"
gpg --verify source.tar.gz.asc
Results:
$ ./repro.sh 0.20.0
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.20.0/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.20.0.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Sat 29 Oct 2022 12:30:03 AM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: BAD signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
$ ./repro.sh 0.20.0-beta.3
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.20.0-beta.3/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.20.0-beta.3.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Thu 27 Oct 2022 08:53:58 PM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: BAD signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
$ ./repro.sh 0.20.0-beta.2
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.20.0-beta.2/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.20.0-beta.2.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Thu 27 Oct 2022 02:39:12 PM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: BAD signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
$ ./repro.sh 0.20.0-beta.1
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.20.0-beta.1/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.20.0-beta.1.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Wed 26 Oct 2022 10:29:10 PM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: BAD signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
$ ./repro.sh 0.20.0-beta.0
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.20.0-beta.0/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.20.0-beta.0.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Wed 26 Oct 2022 01:52:21 AM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: BAD signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
$ ./repro.sh 0.19.3
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.19.3/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.19.3.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Sun 11 Sep 2022 05:49:47 AM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: Good signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D59C A147 10C1 7C6B 2471 7AF9 0F8E F525 8DC3 8077
$ ./repro.sh 0.19.2
+ REPO_URL=https://github.com/sayanarijit/xplr
+ wget -qO source.tar.gz.asc https://github.com/sayanarijit/xplr/releases/download/v0.19.2/source.tar.gz.asc
+ wget -qO source.tar.gz https://github.com/sayanarijit/xplr/archive/refs/tags/v0.19.2.tar.gz
+ gpg --verify source.tar.gz.asc
gpg: assuming signed data in 'source.tar.gz'
gpg: Signature made Sat 10 Sep 2022 11:36:52 PM +03
gpg: using RSA key D59CA14710C17C6B24717AF90F8EF5258DC38077
gpg: Good signature from "Arijit Basu (June 3, 2021) <sayanarijit@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D59C A147 10C1 7C6B 2471 7AF9 0F8E F525 8DC3 8077
As you can see, none of the 0.20.0 releases cannot be verified with gpg. I’m not sure why it happens and I will look more into this when I have time.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 18 (18 by maintainers)
Done 🎉
Yay! Finally! Thanks a lot 👍
I got matching checksums with the following script:
Hmm, that’s right. I think overriding the
tar.tar.gz.commandis a quick and easy solution.I’d say let’s not rely on github’s ever-changing archive format, and attach our own source.tar.gz.
Reached at the same conclusion anyway 😄
I think I have a guess about what’s going on. I just had a flashback about an email that I read on the reproducible builds mailing list:
https://lore.kernel.org/git/Y0ynDbG8CxwAt4Fj@tapette.crustytoothpaste.net/t/
This means that the output of
git archivethat GitHub uses does not match the actualgit archivecommand that is used here:https://github.com/sayanarijit/xplr/blob/ea8a1fcd46e04e6f048227a1209d33a54ffd3d63/.github/workflows/cd.yml#L121
As outlined in the mailing list, there seems to be a workaround:
I think it’s worth considering. I can submit a PR to try out this approach if you think it is applicable.
Thanks for reporting. Checking what’s the issue. And many thanks for sponsoring me 😃