Page MenuHomePhabricator

Unknown key used to sign MediaWiki 1.32.0 tarball
Closed, ResolvedPublic

Description

The key on https://www.mediawiki.org/keys/keys.txt is:

Mukunda Modell (twentyafterfour) <mmodell@wikimedia.org>
C83A8E4D3C8FEB7C8A3A1998131910E01605D9AA
...
km@km-pt /tmp> gpg2 --list-keys Mukunda
pub   rsa4096 2016-01-08 [SC] [expires: 2019-07-31]
      C83A8E4D3C8FEB7C8A3A1998131910E01605D9AA
uid           [  full  ] Mukunda Modell (WMF) <mmodell@wikimedia.org>
uid           [ unknown] Mukunda Modell <twentyafterfour@gmail.com>
uid           [  full  ] [jpeg image of size 2928]

But the key used to sign the git tags and tarballs was D7B8437BE5A2D3FC8D905FED60AE06D4875BE862:

km@km-pt ~/g/m/core> git tag -v 1.32.0
object 0fbb878ef366477535a709b0c2564bdcf4b176d1
type commit
tag 1.32.0
tagger Mukunda Modell <mmodell@wikimedia.org> 1547171875 -0600

MediaWiki 1.32.0
gpg: Signature made Thu 10 Jan 2019 05:58:10 PM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Can't check signature: No public key

(2) km@km-pt /tmp> gpg2 --verify mediawiki-1.32.0.tar.gz.sig
gpg: assuming signed data in 'mediawiki-1.32.0.tar.gz'
gpg: Signature made Thu 10 Jan 2019 06:26:26 PM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Can't check signature: No public key

That key needs to be uploaded to key servers and added to keys.txt AIUI, even though it's a subkey.

Event Timeline

Legoktm triaged this task as Unbreak Now! priority.Jan 11 2019, 8:13 AM
Legoktm created this task.
Restricted Application added subscribers: Liuxinyu970226, TerraCodes, Aklapper. · View Herald TranscriptJan 11 2019, 8:13 AM

Yes, that's correct. The main/master key is essentially just a key to sign other keys and the dichotomy exists just for management reasons, albeit very good reasons. https://wiki.debian.org/Subkeys is a nice read about it.

Change 483903 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/mediawiki-config@master] keys: Add Mukunda's new subkey that was used for the 1.32 release

https://gerrit.wikimedia.org/r/483903

Change 483903 merged by jenkins-bot:
[operations/mediawiki-config@master] keys: Add Mukunda's new subkey that was used for the 1.32 release

https://gerrit.wikimedia.org/r/483903

Mentioned in SAL (#wikimedia-operations) [2019-01-12T02:16:06Z] <legoktm@deploy1001> Synchronized docroot/mediawiki.org/keys: Add Mukunda's new subkey that was used for the 1.32 release - T213521 (duration: 00m 47s)

Legoktm closed this task as Resolved.Jan 12 2019, 2:18 AM

Yesterday:
[00:26:32] <twentyafterfour> legoktm: D7B8437.... should be sync'd to pool.sks-keyservers.net

Today I pulled the key down from the server, verified that it was a subkey of the previous key that was used and signed by everyone, and synced out the change. It might take an hour for the keys.txt page on mediawiki.org to update.