Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swiftly should ignore expired GPG keys #148

Open
rayx opened this issue Aug 3, 2024 · 6 comments
Open

Swiftly should ignore expired GPG keys #148

rayx opened this issue Aug 3, 2024 · 6 comments

Comments

@rayx
Copy link

rayx commented Aug 3, 2024

While I installed swiftly, I saw output like the following:

$ curl -L https://swiftlang.github.io/swiftly/swiftly-install.sh | bash
--[SNIPPED]--
Importing Swift's PGP keys...
gpg: key D441C977412B37AD: public key "Swift Automatic Signing Key #1 <[email protected]>" imported
gpg: key 9F597F4D21A56D5F: public key "Swift 2.2 Release Signing Key <[email protected]>" imported
gpg: key 63BC1CFE91D306C6: public key "Swift 3.x Release Signing Key <[email protected]>" imported
gpg: key EF5430F071E1B235: public key "Swift 4.x Release Signing Key <[email protected]>" imported
gpg: key 7638F1FB2B2B08C4: public key "Swift Automatic Signing Key #2 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: public key "Swift 5.x Release Signing Key <[email protected]>" imported
gpg: key FAF6989E1BC16FEA: public key "Swift Automatic Signing Key #3 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <[email protected]>" 1 new signature
gpg: key F167DF1ACF9CE069: public key "Swift Automatic Signing Key #4 <[email protected]>" imported
gpg: key 925CC1CCED3D1561: "Swift 5.x Release Signing Key <[email protected]>" 1 new signature
gpg: key F167DF1ACF9CE069: "Swift Automatic Signing Key #4 <[email protected]>" 1 new signature

Most of the keys are expired:

$ gpg --list-keys
--[SNIPPED]--
pub   rsa4096 2015-11-19 [SC] [expired: 2017-11-18]
      7463A81A4B2EEA1B551FFBCFD441C977412B37AD
uid           [ expired] Swift Automatic Signing Key #1 <[email protected]>

pub   rsa4096 2015-11-28 [SC] [expired: 2017-11-27]
      1BE1E29A084CB305F397D62A9F597F4D21A56D5F
uid           [ expired] Swift 2.2 Release Signing Key <[email protected]>

pub   rsa4096 2016-05-31 [SC] [expired: 2018-05-31]
      A3BAFD3556A59079C06894BD63BC1CFE91D306C6
uid           [ expired] Swift 3.x Release Signing Key <[email protected]>

pub   rsa4096 2017-06-14 [SC] [expired: 2019-06-14]
      5E4DF843FB065D7F7E24FBA2EF5430F071E1B235
uid           [ expired] Swift 4.x Release Signing Key <[email protected]>

pub   rsa4096 2017-11-07 [SC] [expired: 2019-11-07]
      8513444E2DA36B7C1659AF4D7638F1FB2B2B08C4
uid           [ expired] Swift Automatic Signing Key #2 <[email protected]>

pub   rsa4096 2019-03-22 [SC] [expires: 2025-03-19]
      A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
uid           [ unknown] Swift 5.x Release Signing Key <[email protected]>

pub   rsa4096 2019-11-07 [SC] [expired: 2021-11-06]
      8A7495662C3CD4AE18D95637FAF6989E1BC16FEA
uid           [ expired] Swift Automatic Signing Key #3 <[email protected]>

pub   rsa4096 2021-11-08 [SC] [expires: 2025-11-09]
      E813C892820A6FA13755B268F167DF1ACF9CE069
uid           [ unknown] Swift Automatic Signing Key #4 <[email protected]>

I think expired keys are useless? Also, swiftly doesn't support downloading Swift 2/3/4 releases. And the Automatic Signing Keys 1/2/3 are apparently obsoleted by key 4. So I think swiftly should ignore those expired keys.
@adam-fowler
Copy link
Contributor

The keys come from the swift.org website (https://www.swift.org/keys/all-keys.asc). It might be better that the website stops serving expired keys. You could add an issue there.

There is nothing stopping swiftly installing swift 2/3/4. As long as the tar balls are available on swift.org it should work. I haven't tested swift 2 or 3 though.

@rayx
Copy link
Author

rayx commented Aug 4, 2024
edited
Loading

Swift website has a page for active GPG keys (https://www.swift.org/keys/active/). I found it by google. Unfortunately that page isn't friendly to script and there seems to be no active-keys.asc file. On the other hand, I suspect all-keys.asc is for archive purpose so it probably should contain expired keys.

When I submitted the issue, I though gpg might have an option to skip expired keys when importing them. I googled a bit today. There seems no out-of-box way to do it. Also, based on some discussions on the net, gpg allows one to verify signature using expired keys.

So, while I think the current behavior is a little bit confusing to me, I don't have strong opinion about it. Feel free to close it if there isn't a simple way or it isn't worth the effort.

@0xTim
Copy link
Member

0xTim commented Aug 6, 2024

I think opening an issue on Swift.org website to provide a nice parseable way of getting the current keys is something we should be able to implement

@rayx rayx mentioned this issue Aug 8, 2024
Open
@rayx
Copy link
Author

rayx commented Aug 8, 2024

I submitted an enhancement #776 in swift.org repo.

@adam-fowler
Copy link
Contributor

We'll still need the 2.x,3.x,4.x release keys, otherwise we won't be able to verify installs of Swift earlier than 5.0

@cmcgee1024
Copy link
Member

Swiftly follows what the swift.org website uses to allow third parties to validate the toolchain contents. If the website changes the mechanism then swiftly will need to adopt the changes and now that swiftly will be provided by swift.org any impact should be rolled out to swiftly whenever such changes are made.

I think that we should close this issue on swiftly itself until the website authentication mechanism is changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rayx @adam-fowler @0xTim @cmcgee1024