Page MenuHomePhabricator
Create Task
Maniphest T213521

Unknown key used to sign MediaWiki 1.32.0 tarball
Closed, ResolvedPublic
Actions

Description

The key on https://www.mediawiki.org/keys/keys.txt is:

Mukunda Modell (twentyafterfour) <mmodell@wikimedia.org>
C83A8E4D3C8FEB7C8A3A1998131910E01605D9AA
...
km@km-pt /tmp> gpg2 --list-keys Mukunda
pub   rsa4096 2016-01-08 [SC] [expires: 2019-07-31]
      C83A8E4D3C8FEB7C8A3A1998131910E01605D9AA
uid           [  full  ] Mukunda Modell (WMF) <mmodell@wikimedia.org>
uid           [ unknown] Mukunda Modell <twentyafterfour@gmail.com>
uid           [  full  ] [jpeg image of size 2928]

But the key used to sign the git tags and tarballs was D7B8437BE5A2D3FC8D905FED60AE06D4875BE862:

km@km-pt ~/g/m/core> git tag -v 1.32.0
object 0fbb878ef366477535a709b0c2564bdcf4b176d1
type commit
tag 1.32.0
tagger Mukunda Modell <mmodell@wikimedia.org> 1547171875 -0600

MediaWiki 1.32.0
gpg: Signature made Thu 10 Jan 2019 05:58:10 PM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Can't check signature: No public key

(2) km@km-pt /tmp> gpg2 --verify mediawiki-1.32.0.tar.gz.sig
gpg: assuming signed data in 'mediawiki-1.32.0.tar.gz'
gpg: Signature made Thu 10 Jan 2019 06:26:26 PM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Can't check signature: No public key

That key needs to be uploaded to key servers and added to keys.txt AIUI, even though it's a subkey.

Details

ProjectBranchLines +/-Subject
operations/mediawiki-configmaster+365 -881keys: Add Mukunda's new subkey that was used for the 1.32 release
Customize query in gerrit

Event Timeline

Legoktm triaged this task as Unbreak Now! priority.Jan 11 2019, 8:13 AM
Legoktm created this task.
Restricted Application added subscribers: Liuxinyu970226, TerraCodes, Aklapper. · View Herald TranscriptJan 11 2019, 8:13 AM
akosiaris added a subscriber: akosiaris.Jan 11 2019, 8:19 AM

Yes, that's correct. The main/master key is essentially just a key to sign other keys and the dichotomy exists just for management reasons, albeit very good reasons. https://wiki.debian.org/Subkeys is a nice read about it.

timschroedernet added a subscriber: timschroedernet.Jan 11 2019, 12:09 PM
timschroedernet awarded a token.Jan 11 2019, 7:41 PM
gerritbot added a subscriber: gerritbot.Jan 12 2019, 2:09 AM

Change 483903 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/mediawiki-config@master] keys: Add Mukunda's new subkey that was used for the 1.32 release

https://gerrit.wikimedia.org/r/483903

gerritbot added a project: Patch-For-Review.Jan 12 2019, 2:09 AM
gerritbot added a comment.Jan 12 2019, 2:14 AM

Change 483903 merged by jenkins-bot:
[operations/mediawiki-config@master] keys: Add Mukunda's new subkey that was used for the 1.32 release

https://gerrit.wikimedia.org/r/483903

Stashbot added a subscriber: Stashbot.Jan 12 2019, 2:16 AM

Mentioned in SAL (#wikimedia-operations) [2019-01-12T02:16:06Z] <legoktm@deploy1001> Synchronized docroot/mediawiki.org/keys: Add Mukunda's new subkey that was used for the 1.32 release - T213521 (duration: 00m 47s)

Legoktm closed this task as Resolved.Jan 12 2019, 2:18 AM

Yesterday:
[00:26:32] <twentyafterfour> legoktm: D7B8437.... should be sync'd to pool.sks-keyservers.net

Today I pulled the key down from the server, verified that it was a subkey of the previous key that was used and signed by everyone, and synced out the change. It might take an hour for the keys.txt page on mediawiki.org to update.

Aklapper added a comment.Jan 14 2019, 9:50 AM

Also see discussion in https://www.mediawiki.org/w/index.php?title=Topic:Us5jabe75xrth5ik

Liuxinyu970226 removed a subscriber: Liuxinyu970226.Jan 16 2019, 1:35 AM
Ladsgroup removed a project: Patch-For-Review.May 21 2019, 9:27 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL