Sign releases with your PGP key

[qertoip]

Please abandon md5 in favor of sha256 and sign the hashes with your PGP keys. Bitcoin Core or Monero are good examples:
https://bitcoincore.org/bin/bitcoin-core-0.17.1/
https://ww.getmonero.org/downloads/hashes.txt

[0xmichalis]

Proposed in the forum at https://www.grin-forum.org/t/grin-binaries-w-secure-verification/782

[ignopeverell]

Still enjoying a bit of convenience with auomated builds. But yes, we'll have to get there.

[jonathancross]

Would also be good to have developers verify & sign each other's OpenPGP keys:

@ignopeverell 0x99CD25F39F8F8211
@yeastplume 0xAE6E005DF6E76B95
@antiochp 0x49CBDBCE8AB061C1 (not being used for commits?)
@garyyu No key?
@hashmap 0x5EA3C2D2455ED9C8
@quentinlesceller 0x76248AC90C33D34F (not being used for commits?)

None of the developer keys can be verified through the Web Of Trust except for @hashmap (because I personally verified and cross-signed with him). Would be nice to improve this.

Edit: update keys.

[quentinlesceller]

@jonathancross My key is 0x76248AC90C33D34F btw. Yep we need to do it.

[qertoip]

https://keybase.io/ is the modern WoT so I would kindly suggest developers to establish their identities over there as well.

[quentinlesceller]

@qertoip we already all have Keybase.
ignopeverell https://keybase.io/ignotus
yeastplume https://keybase.io/yeastplume
antiochp https://keybase.io/antiochp
garyyu https://keybase.io/garyyu
hashmap https://keybase.io/hashmap
quentinlesceller https://keybase.io/quentinlesceller
jaspervdm https://keybase.io/jaspervdm
tromp https://keybase.io/tromp

[jonathancross]

Thank you @quentinlesceller -- I've updated info above.
At the very least, we should get the release key (@ignopeverell 0x99CD25F39F8F8211) into the Strong Set. (PS: I'm open to meet and exchange keys with any of you in San Francisco, Switzerland or Berlin.)

[qertoip]

@qertoip we already all have Keybase.

Excellent!

[antiochp]

Does anybody actually use the WoT for anything though (honest question)?
And given the pseudonymity involved in some of these keys - does the WoT really provide any guarantees?
Nobody has been to a key signing party (it would be a very boring party) and presumably those of us wishing to remain pseudonymous would probably not be present?

[jonathancross]

Thanks @antiochp, IMHO the web of trust is still useful when trying to establish the authenticity of a key. For example one can derive some degree of trust in a key with the WOT, then combine with other information to make an assessment. For example one can chart a path from hashmap's key to Andrew Poelstra's which, if you trust them both to properly verify keys might be very useful metadata when trying to identify a fake keybase account, impersonation, TLS certificate authority or github.com compromise, etc.

Signing your git commits helps tremendously as well because it is proof that this key owner has actually contributed significantly to the project (proof-of-skill over time).

Pseudonymity does make keysigning more challenging, especially if one is avoiding having others see their face... (ski-mask signing party anyone?) Signed git commits are probably the best option in this situation. Then (after a suitable amount of evidence is established) exchanging PGP key sigs with other devs who can independently establish the authenticity of contributions provided by the key owner. Note: Some pseudonymous devs are fine with exchanging keys in-person (eg zzz from I2P, most Bitcoin & Monero devs), but of course that is for each person to decide.

TL;DR; Ideally Grin would enforce git commit signing for all PRs & releases and devs who are okay meeting in-person, would sign each other's keys. This would significantly improve attack resistance / impersonation from where we are today.

Hope that helps?

[ignopeverell]

It's the correct key. And I'd like to point out that, at least in my case, what matters the most is the 2+ years of commit history with that key. That should be true for most other regular committers.