Validatable release artifacts are not sufficient for packaging (trying to run tests) #4296
Comments
|
@nlohmann would you have some input for me here? I am currently blocked from upgrading the package on Arch Linux due to this issue |
|
I am rather unfamiliar what I can do to help here. |
To quote myself from above 😄
|
|
But isn't https://github.com/nlohmann/json/releases/tag/v3.11.3 signed? 
|
|
Yes, the The artifacts attached to that release are signed with your personal OpenPGP key: We are locking the fingerprint of your personal OpenPGP certificate and use that exact certificate to verify artifacts, commits or tags in the context of building a package for Arch Linux: Prior to 3.11.3 this worked and I was able to build and test from a signed The 3.11.3 release I can not verify, because it is not signed with your personal OpenPGP key and the (signed) artifacts attached to that release do not allow me to run tests (because there are none in them). Hence this ticket. |
|
ERRATA: The v3.11.3 tag is in fact not signed. The commit it points at is though (by the github OpenPGP key): $ git ls-remote -t https://github.com/nlohmann/json |rg v3.11.3
9cca280a4d0ccf0c08f47a99aa71d1b0e52f8d03 refs/tags/v3.11.3
$ git verify-tag v3.11.3
error: v3.11.3: cannot verify a non-tag object of type commit.
$ git verify-commit 9cca280a4d0ccf0c08f47a99aa71d1b0e52f8d03
gpg: Signature made 2023-11-28T22:36:31 CET
gpg: using RSA key 4AEE18F83AFDEB23
gpg: Good signature from "GitHub (web-flow commit signing) <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23Comparing this to the previous release, it appears you are using annotated tags ( $ git ls-remote -t https://github.com/nlohmann/json |rg v3.11.2
0ca0fe433eb70cea0d5761079c0c5b47b736565b refs/tags/v3.11.2
bc889afb4c5bf1c0d8ee29ef35eaaf4c8bef8a5d refs/tags/v3.11.2^{}
$ git verify-tag v3.11.2
error: no signature found
$ git verify-commit bc889afb4c5bf1c0d8ee29ef35eaaf4c8bef8a5d
gpg: Signature made 2022-08-12T15:06:06 CEST
gpg: using RSA key 797167AE41C0A6D9232E48457F3CEA63AE251B69
gpg: Good signature from "Niels Lohmann <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7971 67AE 41C0 A6D9 232E 4845 7F3C EA63 AE25 1B69It would be great if signed tags would be created using your personal OpenPGP key and / or signed artifacts containing a snapshot of the entire repository could be attached to releases. |
|
After spending some time writing this I'd kindly ask you to please use signed tags, as it is quite likely that we will prefer plain git sources over custom source tarballs in the future. I don't know what your current release workflow is, but this would basically be down to using |
|
ping @nlohmann |
|
@nlohmann can you please respond to this? It is blocking me from upgrading the package on Arch Linux 😰 |
|
@nlohmann Do you have an update for us on this issue? As @dvzrv said, we'd like to avoid using unsigned tar archives. With git, you can use David's suggestion:
|
|
Friendly ping @nlohmann :) As discussed above, you'd do us and the Arch community a great favor if you'd properly sign your releases. |
|
I currently plan no release. I will get back to you before next time to understand what you need. |
|
@nlohmann: I think it would be best for you to not sign release artifacts at this point to be honest. As this has been blocking our package upgrade for nearly half a year now, I will drop the OpenPGP verification from the package and also not add it back unless there is a strong commitment from your side. Other than that, I consider this issue closed, so that I can finally move on and upgrade the package. 👋 |
Description
Hi! 👋
I package this project for Arch Linux.
The current signed source artifacts attached to releases are unfortunately not enough to allow me to run tests.
I would like to be able to run tests on source artifacts, that signed, for this I am currently relying on the signed tags, but 3.11.3 has not been a signed tag, so I have been unable to upgrade to that version yet.
What I am currently doing is to checkout a signed tag, verify it and then stage in the test data for running the tests.
https://gitlab.archlinux.org/archlinux/packaging/packages/nlohmann-json/-/blob/314ac9199c8f76d5b661dc0fd79caf3f4f8e1cb8/PKGBUILD
The signed artifacts unfortunately miss a bunch of the files that I would need for packaging (e.g. license files, tests, etc.).
Would it be possible to either use signed tags again or to create a source artifact that includes just the git repository's contents?
Reproduction steps
Try to run tests from one of the signed artifacts in https://github.com/nlohmann/json/releases/tag/v3.11.3
Expected vs. actual results
I am able to run tests from a validatable (signed) source artifact.
Currently I am not able to run tests from a validatable (signed) source artifact.
Minimal code example
No response
Error messages
No response
Compiler and operating system
Arch Linux, gcc 13.2.1
Library version
3.11.3
Validation
developbranch is used.The text was updated successfully, but these errors were encountered: