Missing chain of trust for 1.2.0

[dvzrv]

Hi! I'm currently trying to update tpm2-tss-engine to 1.2.0 for Arch Linux. We verify the signatures for the source tarballs attached to the releases here on github.

Unfortunately it seems that we have a missing chain of trust between 1.1.0 (signed by @AndreasFuchsTPM using D6B4D8BAC7E0CC97DCD4AC7272E88B53F7A95D84) and 1.2.0 (signed by @williamcroberts using 5B482B8E3E19DA7C978E1D016DE2E9078E1F50C1).

Would you be able to provide one of

• signature of D6B4D8BAC7E0CC97DCD4AC7272E88B53F7A95D84 on the one (known to me) User ID of 5B482B8E3E19DA7C978E1D016DE2E9078E1F50C1, made available either by importing the updated certificate in the github profile of @williamcroberts or on one of the keyservers that allows browsing of signatures (I think https://keys.openpgp.org does, but you will have to verify your User ID first!)
• a text stating, that @williamcroberts is now also able to create signed releases, clearsigned by @AndreasFuchsTPM (using D6B4D8BAC7E0CC97DCD4AC7272E88B53F7A95D84)

Thanks so much!

[williamcroberts]

@dvzrv doesn't my key on https://github.com/williamcroberts.gpg suffice?

[dvzrv]

doesn't my key on https://github.com/williamcroberts.gpg suffice?

according to gpg there is no signature by D6B4D8BAC7E0CC97DCD4AC7272E88B53F7A95D84 on your key:

gpg --list-sigs 6DE2E9078E1F50C1
pub   rsa4096 2017-02-15 [SC]
      5B482B8E3E19DA7C978E1D016DE2E9078E1F50C1
uid           [ unknown] William Roberts (Bill Roberts) <[email protected]>
sig 3        6DE2E9078E1F50C1 2017-02-15  William Roberts (Bill Roberts) <[email protected]>
sub   rsa4096 2017-02-15 [E]
sig          6DE2E9078E1F50C1 2017-02-15  William Roberts (Bill Roberts) <[email protected]>

[williamcroberts]

@dvzrv ahh OK, I see what you're saying. So I guess you're assuming that first to make a release is the key that is always trusted? (how do you know to trust that key).

I'm surprised no one has cared for the myriad of other projects where I have cut releases that are non-congruent with other maintainers. For example tpm2-tss releases have been conducted by myself, @flihp, @AndreasFuchsTPM, @tstruk and perhaps even @JuergenReppSIT. As far as I know, we never did a key-signing party.

[dvzrv]

how do you know to trust that key

We don't know. We follow TOFU and add the certificate and its fingerprint to our package sources.

I'm surprised no one has cared for the myriad of other projects where I have cut releases that are non-congruent with other maintainers.

I can't speak for the past, as the tpm2 packages are just something that I am now also sometimes updating as the initial maintainer is M.I.A.

we never did a key-signing party.

You don't necessarily need one for this :)
Another possibility as outlined in #276 (comment) can be to add a clearsigned token by @AndreasFuchsTPM that establishes a chain of trust.

What other projects often opt for is to maintain a document (e.g. a section in the README), that lists the persons responsible for creating releases and their respective key fingerprints. Changes to this document are done using signed commits and the first person to sign a release introduces further persons to said document, etc.

[williamcroberts]

We just forgot to add me to this maintainers file, but I'm not an official maintainer anymore.

[AndreasFuchsTPM]

The problem here is right now that I do not have access to the old GPG key since I left it with my former employer.
I forgot to cross-sign back then.
Thus I am afraid, we will have to start over again.
I will create a new gpg key for myself, I can also add Bill to the maintainers file, but we will not be able to maintain a chain.
Apologies for this !