openresty
Specify more GPG key bits — otherwise the key can be faked? Someone already did
On the website, https://openresty.org/en/download.html, there's this:
Source Code Releases All the releases are signed by the public PGP key A0E98066 of Yichun Zhang.
That's 32 bits to identify a key — and that's a bit few bits; others can generate fake keys with the same last 32 bits.
In fact, someone did:
$ gpg --keyserver keyserver.ubuntu.com --keyserver-options timeout=10 --recv-key A0E98066
gpg: key A84A5A40A0E98066: public key "Totally Legit Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
As you can see, someone has generated a fake key that ends with A0E98066.
(That's Ubuntu's keyserver, which I tried, when MIT didn't work; they're supposed to be in sync with each other I think?)
What do you think about specifying the full key ID on the website, or the last 64 bits?
There's an old issue and merged PR related to that, issue: https://github.com/openresty/openresty.org/issues/30 "Add information to the GPG key" PR: https://github.com/openresty/openresty.org/pull/32 "Add information about public key to verify release files"
but somehow the changes in the PR seems to have gotten lost during the years. Anyway, in the PR, I see that the last 64 bits of the key are: 0xB550E09EA0E98066
Maybe might as well include the full key? Don't know if 64 bit is that much nowadays?
I think this is the complete public key? 25451EB088460026195BD62CB550E09EA0E98066
gpg --keyserver pgpkeys.mit.edu --keyserver-options timeout=10 --recv-key 25451EB088460026195BD62CB550E09EA0E98066
gpg: key B550E09EA0E98066: 1 signature not checked due to a missing key
gpg: key B550E09EA0E98066: "Yichun Zhang (agentzh) <agentzh at ... googlemail ...>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1