Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature verification of 1.2.2 #1595

Open
1 task
oallauddin opened this issue Dec 19, 2024 · 4 comments
Open
1 task

Signature verification of 1.2.2 #1595

oallauddin opened this issue Dec 19, 2024 · 4 comments
Labels
bug Something isn't working triage New issues or PRs to be acknowledged by maintainers

Comments

@oallauddin
Copy link

What happened in your environment?

Signature verification is failing for 1.2.2 based off documentation Validating ORAS CLI Binaries.
It looks like there is a new public key KEYS because Shiwei Zhang was added.
The documentation needs to be updated? We should be using this new public key?

What did you expect to happen?

Signature verification will pass

How can we reproduce it?

Run below shell script

#!/bin/bash -e
tag=v1.2.2
version=1.2.2
curl -sSL https://github.com/qweeah.gpg --output qweeah.gpg 
gpg --import qweeah.gpg
curl -sSL "https://github.com/oras-project/oras/releases/download/${tag}/oras_${version}_linux_amd64.tar.gz.asc" --output oras_${version}_linux_amd64.tar.gz.asc
curl -sSL "https://github.com/oras-project/oras/releases/download/${tag}/oras_${version}_linux_amd64.tar.gz" --output oras_${version}_linux_amd64.tar.gz
gpg --verify oras_${version}_linux_amd64.tar.gz.asc oras_${version}_linux_amd64.tar.gz

What is the version of your ORAS CLI?

1.2.2

What is your OS environment?

Amazon Linux 2023

Are you willing to submit PRs to fix it?

  • Yes, I am willing to fix it.
@oallauddin oallauddin added bug Something isn't working triage New issues or PRs to be acknowledged by maintainers labels Dec 19, 2024
@TerryHowe
Copy link
Member

Any reason we aren't using the KEYS file in the documentation?

@TerryHowe
Copy link
Member

Something along the lines of:

 % curl -sSL https://raw.githubusercontent.com/oras-project/oras/refs/heads/main/KEYS | gpg --import - 
gpg: key F86EC70D2B0C404F: "Billy Zha <[email protected]>" not changed
gpg: key 4F723223E9DF0185: "Shiwei Zhang <[email protected]>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

@oallauddin
Copy link
Author

oallauddin commented Dec 20, 2024
edited
Loading

I ended up using the KEYS file. Didn't want to parse the release notes in the script that runs in our CI build.

#!/bin/bash -e

# download the public key
curl -sSL https://raw.githubusercontent.com/oras-project/oras/main/KEYS --output KEYS

# NOTE: manually run below command locally to determine the known checksum of the public key
# curl -sSL https://raw.githubusercontent.com/oras-project/oras/main/KEYS | sha256sum
# we will need to update the known checksum each time the public key is updated
KEYS_CHECKSUM="d29aae25ce1ca6068657f4249bde54c1819687486bb6af2af62c4dee88aed735"
echo -n "$KEYS_CHECKSUM  KEYS" > KEYS.sha256

# validate the checksum
sha256sum --check KEYS.sha256

@TerryHowe
Copy link
Member

I'm not sure how the other maintainers feel, but maybe a PR to the docs site?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage New issues or PRs to be acknowledged by maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TerryHowe @oallauddin