Signature verification of 1.2.2

[oallauddin]

What happened in your environment?

Signature verification is failing for 1.2.2 based off documentation Validating ORAS CLI Binaries.
It looks like there is a new public key KEYS because Shiwei Zhang was added.
The documentation needs to be updated? We should be using this new public key?

What did you expect to happen?

Signature verification will pass

How can we reproduce it?

Run below shell script

#!/bin/bash -e
tag=v1.2.2
version=1.2.2
curl -sSL https://github.com/qweeah.gpg --output qweeah.gpg 
gpg --import qweeah.gpg
curl -sSL "https://github.com/oras-project/oras/releases/download/${tag}/oras_${version}_linux_amd64.tar.gz.asc" --output oras_${version}_linux_amd64.tar.gz.asc
curl -sSL "https://github.com/oras-project/oras/releases/download/${tag}/oras_${version}_linux_amd64.tar.gz" --output oras_${version}_linux_amd64.tar.gz
gpg --verify oras_${version}_linux_amd64.tar.gz.asc oras_${version}_linux_amd64.tar.gz

What is the version of your ORAS CLI?

1.2.2

What is your OS environment?

Amazon Linux 2023

Are you willing to submit PRs to fix it?

• Yes, I am willing to fix it.

[TerryHowe]

Any reason we aren't using the KEYS file in the documentation?

[TerryHowe]

Something along the lines of:

 % curl -sSL https://raw.githubusercontent.com/oras-project/oras/refs/heads/main/KEYS | gpg --import - 
gpg: key F86EC70D2B0C404F: "Billy Zha <[email protected]>" not changed
gpg: key 4F723223E9DF0185: "Shiwei Zhang <[email protected]>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

[oallauddin]

I ended up using the KEYS file. Didn't want to parse the release notes in the script that runs in our CI build.

#!/bin/bash -e

# download the public key
curl -sSL https://raw.githubusercontent.com/oras-project/oras/main/KEYS --output KEYS

# NOTE: manually run below command locally to determine the known checksum of the public key
# curl -sSL https://raw.githubusercontent.com/oras-project/oras/main/KEYS | sha256sum
# we will need to update the known checksum each time the public key is updated
KEYS_CHECKSUM="d29aae25ce1ca6068657f4249bde54c1819687486bb6af2af62c4dee88aed735"
echo -n "$KEYS_CHECKSUM  KEYS" > KEYS.sha256

# validate the checksum
sha256sum --check KEYS.sha256

[TerryHowe]

I'm not sure how the other maintainers feel, but maybe a PR to the docs site?

[shizhMSFT]

@FeynmanZhou This is a real case that we should move away from GPG signing.

[FeynmanZhou]

The GPG key changed in v1.2.2 release so we need to update the GPG key on ORAS documentation or considering removing the GPG key verification. We could discuss and make decision in the next community meeting.

For ORAS maintainers, GPG key signing is cumbersome for automating the release process. For end users, it requires to trust a key from an individual maintainer as always.

[TerryHowe]

Agreed on GPG, but I think updating the docs would be helpful for now.

[FeynmanZhou]

Thanks @TerryHowe for the suggestion. I do agree with updating the doc to unblock the users of v1.2.2.