Release Signing

From Crypto++ Wiki
Jump to: navigation, search

Crypto++ releases are signed as part of the Release Process. Crypto++ releases are signed using a key of one the individuals who are authorized to release Crypto++. Authorized individuals roughly means folks with check-in privileges. There is no single project key shared among authorized release personnel.

The list of collaborators who are authorized to release with their key are listed below.

Name Key
Wei Dai -
Jeffrey Walton B8CC 1980 2062 211A 508B 2F5C CE05 86AF 1F8E 37BD
Uri Blumenthal -

Individuals who have release authorization are expected to:

  1. Announce their current key on the mailing list
  2. Announce changes to the current key on the mailing list
  3. Publish their current key on this wiki page
  4. Publish their current key to a well-known keyserver
  5. Publish changes to the current key on this wiki page
  6. Store the key offline with passphrase protection

Signing keys should be 3072-bit RSA and signatures should use SHA-256. Other algorithm choices, like Ed25519 or SHA-3, will likely cause interop problems for some folks on some platforms.

Changes to the signing key should be retained on this page. That is, don't delete a former key if updating to a new key. Retain the old key for record keeping.

The key should be stored offline with passphrase protection. For example, burned to a CD and then stored in a fire resistant lock box. The key should not be online, and should not be under control of a key manager to automatically unlock it.

Note that Wei is listed, but he probably won't sign a release. Wei is busy with other duties, and he leaves the day to day operations to others involved in the project.

Related information can be found at Apache Release Signing.

Jeffrey Walton

Key fingerprint = B8CC 1980 2062 211A 508B 2F5C CE05 86AF 1F8E 37BD

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFwlSggBDADclzJ4pgefT7BKm1OAoxp4NeqZzpU7f+70eyG9WlHxk0YUBKL4
s4wbsF2nub5YmCQ0vqXmfeyElbdYqCxXVygUOm64LlzsuRXw30gwupSg2xu0j7V1
WQCoWWG1j1XZ4pDTo9tYXiUztFHjfWD2oNjMUgEjo3jSdgAhY7re/sD+jNEjFnKc
N0h8tquivpu8gqcobeCVUyMLd/n4M5Fw9TSCPZUrz1/Dfi+Cn0ODwmknuP3hH3dg
I1pT7StEtZkq5tzQI2LPs/ItbvmwQWLWYCXQ6HsHSkFgDJc3kqV3EVvzM9/j+ynh
waSThXNCPNORk487oD4CfeCgC6pXQuQBkv+Ts+porX8k59LpRmb7oszU1tOMHXEn
Z2my/ljVonn6ibMvpLQrEscyFrQbjO8suv2TS1MuEnlEWXhT9INCmcTqDVKOC7WC
Xnh2JEOEGe8ONaYuLw+Y+8TQ+uuyEue/yeiTVUpEB6ezOf5Je4ziFTze/Zq7ga9y
iOFF5Lesem7llSEAEQEAAbQ2SmVmZnJleSBXYWx0b24gKENyeXB0bysrIFJlbGVh
c2UpIDxub2xvYWRlckBnbWFpbC5jb20+iQG+BBMBAgAoBQJcJUoIAhsDBQkJZgGA
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDOBYavH443vTJoC/4j8vzpbPbh
tcnTZqC+rzfhSmqUGR024B5MkuETwi+AHwYcOzz/IKBYaIknqZ9P9q49gAthpiCO
NE/OSf0YavJRFZ/diOcSmGP5m5yYGaA7ksrq+/82rFAANq3gpiMXuk/6xWpaRCvR
0LTGLbGcKmAE37/CpTXb+YJxMciaKQvb45yhcSnVAR1Ool+hQxZS/OYsOXzjRVMp
5dPivez3jEk+EJgirSCk/hkxc6Sh0HgI257IAuYHzqF000ahl7uJ9DBLkdglOD03
HwTA4kU9i+wlwWfkJRztDhvTy3qK5WnwN7eh88Wy4H7tIIG3CybGKwqjgu2wu7Nh
ghc1ZrVMU0mSVmXDZ+ZWPgze8eLqoMDqdFzm4lWYTGl+gb6gIbg9dnU9p1YRtnXw
/lUx0nnj33R/9LKKkTK5zmwnqdJ/lU3X0mGf1VyFzjpMrBE9mCkbnC7kOEiNh7kS
/KdN9BoaX5M4e9LtohIobLsXfVQCWWOHePD1gQsbspksHA/GC/EyGN8=
=Yi2N
-----END PGP PUBLIC KEY BLOCK-----

Signing Recipe

The recipe to sign a release is shown below.

$ gpg --list-keys
/home/jwalton/.gnupg/pubring.gpg
--------------------------------
...
pub   3072R/1F8E37BD 2018-12-27 [expires: 2023-12-26]
uid                  Jeffrey Walton (Crypto++ Release) <noloader@gmail.com>

And then:

$ gpg -a -u 1F8E37BD --digest-algo SHA256 --output cryptopp800.zip.sig --detach-sig cryptopp800.zip

You need a passphrase to unlock the secret key for
user: "Jeffrey Walton (Crypto++ Release)"
3072-bit RSA key, ID 1F8E37BD, created 2018-12-27

$ ls -Al cryptopp800.*
-rw-rw-r--. 1 jwalton jwalton 8027821 Dec 27 18:33 cryptopp800.zip
-rw-rw-r--. 1 jwalton jwalton     630 Dec 27 19:38 cryptopp800.zip.sig

$ cat cryptopp800.zip.sig
-----BEGIN PGP SIGNATURE-----

iQGcBAABCAAGBQJcJZi4AAoJEM4Fhq8fjje9BZQMALGADiY719K4o1akEVh4FyDD
CTco1X+wT4+sKll3UaLquXoQ8XeP3r7mSlSgS1jxMS2UMY/ntSwWBDKe6LnHZA4E
hux0f0uMiFeRTzmkMfZ+34btTq3B9V2+tZQtx7D/u97LmO9SIE1DhmL5MgLn7yzH
wjI9Ed5uMUGybkomKllw7cHRjzfSRfD8M+ReqxBTIZb7dMSEb9VVa2Tnbq0rh5l6
rGjZGL/uxBLuzxyYedAK5OGGyNYlICOoXlYMHKGDZTOgvF0Rqgk5hWAegSm3lTHk
Juabm1R04ZuiQFBmTw3zm3VS+AlkU5vv2pHpzdroDhw7lGKry6moSntpJ8bAPj8r
e213V9SXFcNryMYJL4PCTFvooU2pHLiP8yhvWHWBXpQly4OxiwgzWzvGI/p3ru9o
4BdJ7UZIjYR01kDjmvaGFG+0hU4tlGKDbdHXKBsW5V3jKlqZyQuDEOu3chhVIvOk
l+A8Qu8by3qRfoPL7bg5GfZx2zkkIfpyKtCyex2sOQ==

-----END PGP SIGNATURE-----