Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing PGP Public Key #3523

Closed
ston1th opened this issue Feb 12, 2024 · 3 comments
Closed

Missing PGP Public Key #3523

ston1th opened this issue Feb 12, 2024 · 3 comments
Labels
agent-java community Issues and PRs created by the community

Comments

@ston1th
Copy link

ston1th commented Feb 12, 2024

Describe the bug

I would like to ask you to provide the public PGP key to verify the signature of the elastic-apm-agent.jar as I'm unable to find a key for the ID 6D1D40678820047FF5C57C9D8AB554FD8F207067.

Steps to reproduce

gpg --verify elastic-apm-agent.jar.asc
gpg: assuming signed data in 'elastic-apm-agent.jar'
gpg: Signature made Mon Jan 29 17:33:05 2024 CET
gpg:                using RSA key 6D1D40678820047FF5C57C9D8AB554FD8F207067
gpg: Can't check signature: No public key
@github-actions github-actions bot added agent-java community Issues and PRs created by the community triage labels Feb 12, 2024
@SylvainJuge
Copy link
Member

Thanks for reporting this @ston1th , the signing key has changed for the last release (1.46.0) and the public key hasn't been published to common key servers yet.

Here is a copy of the public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGWg4zoBCACh2Npi39oBcGn+pYm+ycxPBpUfs2Es0coHbSnbhMEcqyc9uMmE
hOwbD9p/I/5KjKBQn9FOWzshoARutAekn9rDZBjFjZFBaG8t9Gr2IHcET4BvmtjT
ShU3ekr8Xcl44j4X5IPeIa5y/TRTibEK9g+89f/9Ga0SlDuUDaJQVFClSVFhEACM
OiSY40E7sh9ZEwJjYOHz+BmKXDTBq5WYcmc8y9+sonwVGcwPDw2IRa3R0Fd1+hKH
2614Z+ILdzD3CP0Pla6tHjCE6v5mYNk9qUhTY2pvP+hxLfSNDBps0+tDdCWTcShq
gPXSDTraRMYVaat2P9OxQqoW8ZI+J1A6cViVABEBAAG0L2FwbS1yZWxlYXNlQGVs
YXN0aWMuY28gPGFwbS1yZWxlYXNlQGVsYXN0aWMuY28+iQFSBBMBCAA8FiEEbR1A
Z4ggBH/1xXydirVU/Y8gcGcFAmWg4zoDGy8EBQsJCAcCAiICBhUKCQgLAgQWAgMB
Ah4HAheAAAoJEIq1VP2PIHBnUC4H/i/nieduK/netXwOWXTHyaIlfetbJrZr/7LB
5Stj3KuA82kqrD+dgPQjQ2P2FRUrHhhjeUuS7DsyigT3JZdZQz6GLJA7ooWlsV9K
swCLEYrna/j/Nj3Flv6u33VQhRdHBTs+dcgqP3W2PrtKT7Zpji+pG6EDdxIgPocN
fqmUwyJ90dCJuhStQ3lO7Ky3f/4azGXdlQB3l2L0HuUWVB0SUS9eE/Ezv0cc7iuA
PWbWdOXh+X7KumxT482jvccNCisJL3xrUHtmEnhp2drCtoz41Kj7oZw0LU0mLDuB
/ZleA88yx2IbIx8lTNqF1Vt8qWGByegOzW6rG2/ksJLJNj7eCLo=
=TtVG
-----END PGP PUBLIC KEY BLOCK-----

There is a copy of the two public keys directly in the project code, but that's more for historical reasons than for future reference.

This public key should ideally be easily available to make artifact verification easier, so I'll ask the team in charge of it to see how to improve this.

@ston1th
Copy link
Author

ston1th commented Feb 14, 2024

Thank you very much!

@SylvainJuge SylvainJuge mentioned this issue Mar 26, 2024
Closed
@SylvainJuge
Copy link
Member

Hi @ston1th the issue should now be fixed and the key is now available with a proper ID (in this case email).

Here is what I got from the gpg --keyserver keys.openpgp.org --recv 6D1D40678820047FF5C57C9D8AB554FD8F207067 command:

gpg: key 8AB554FD8F207067: public key "apm-release@elastic.co <apm-release@elastic.co>" imported
gpg: Total number processed: 1
gpg:               imported: 1

@ston1th ston1th closed this as completed Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agent-java community Issues and PRs created by the community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SylvainJuge @ston1th