gpg verification of older releases (before 2.9.7)
cap10morgan opened this issue · 2 comments
I got 2.9.7 GPG verification working in the official clojure Docker image with your new key, @technomancy. Thanks!
But I haven't yet pushed that update out, and in the meantime I was hoping we could preserve verification of the older releases so those clojure images can still be built (for security updates, etc.).
However it looks like that old key (808A33D379C806C3) is no longer working. It says new key but contains no user ID - skipped when I try to import it from the keyserver.
I'm happy to update the Dockerfiles with your new key, but I think that's not currently the key whose private counterpart generated the sigs in the .asc files in the existing GitHub release assets.
Yes, the key you're mentioning is expired, so I don't use it any more.
So it sounds like the problem is that openpgp.org used to serve up the key and now refuses to do so? The key is available at https://technomancy.us/20242BACBBE95ADA22D0AFD7808A33D379C806C3.txt so it might be a good idea to check it into your repo so your build is reproducible and can avoid relying on a keyserver whose behavior is not stable over time.
@technomancy Yeah, that sounds like a good way forward. Thanks!