View Issue Details

IDProjectCategoryView StatusLast Update
0022269mantisbtsecuritypublic2020-05-18 16:04
Reportercm_bt Assigned Todregad  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Summary0022269: Public key for verification should be available
Description

After downloading the software package for Mantis, you should be able to verify the signature. The signature can be downloaded too (for example mantisbt-1.3.5.tar.gz.asc). But to verify it, you need to know the public key. The key ID is 0A45E2D6. The key should be uploaded to key-servers and it should be somewhere on mantisbt.org. The keys fingerprint should also be publicly available.

In the documentation there should be some short information how to test the signature, for example here:

https://www.mantisbt.org/docs/master-1.3.x/en-US/Admin_Guide/html-single/#admin.about.download

TagsNo tags attached.

Relationships

has duplicate 0025720 closedatrol Public key ID 0A45E2D6 used to verify packages isn't available on public key server 
related to 0026544 closedatrol SourceForge Files Cannot be Unzipped 
related to 0026950 confirmed Can't verify gpg signature 2.24.1 release tarball 

Activities

dregad

dregad

2019-04-27 08:06

developer   ~0062007

@vboctor you're the only one who can address this.

negora

negora

2020-04-13 02:09

reporter   ~0063836

Are there any news about this issue? Thanks.

vboctor

vboctor

2020-04-24 20:16

manager   ~0063909

Here is the public key that I use to sign releases. @dregad has validated that he can verify releases using this public key.


-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFVssJABEADI8+xMSumDJr+OsaQ0839jtURXfYdjLFmxQC7keWwqjzaVoEao
mFpzSEEmg/KBUks8UnY+xqm8hqZguT7NETwf6m/IKUv8JHSbdbO8uWto3mPb+lDu
Suf/pMrK010x48A2K02iM7zKSsEQOyryuwLePc7t9Y5WDqak1mXqnucZnALg9l9T
M8zNnVzrbvcZSNXaPudoL6I4Ki5l57Yb21VUjPatglGhr97FWnrJFqzbWKs/khsx
L99UaCVC4dUNDZhVv2cKyNeTLkF3rxUcujbZxHyJYRRXJUdkXzEg23gAPDToAsPf
EY0Rz0liV9bPzHgPeonzdnPNlVb/2OI0oIUkU7CjZUkPPyDcispk5QTjJiRAjE6G
Qmy+SrSOslMmtrNsw/QJCNbUcld653bFDUopqr+vv5dgZa/MRx9n78sB+kkN3HZh
0GfpBLKooGanhDOGG8uzW8ivck1oEdxiKO91GRMrcvu3fz4lCvxl6hvcfImlS+cT
7EOCN0ViXGpwYTqZ6ZdQtDYrxWWY+AJVHW3SyBbngK1u50u16OZiHxPFdUQPNJrG
cUNuuklJwa+hbgYwey9yik1UmKo60kSgvFoYdMMfd50A0+Qe/v8bWa0CO6xc0dSM
zgXNpdnNaTZQ6X1DnbBR0tsB3LWIFKa4yXt15JyWaksSrtcwJVjh89/qbQARAQAB
tCdrZXliYXNlLmlvL3Zib2N0b3IgPHZib2N0b3JAa2V5YmFzZS5pbz6JAjAEEwEK
ABoFAlVssJACGy8DCwkHAxUKCAIeAQIXgAIZAQAKCRCYOZuwjrwdELvqEADG6GbU
IzE5nhry+IIUZvdhz6QTQj4/eGJuHpLK/rIaSE9mLtVTeq9OG+xxTdguyMqIXvW4
YaUA734i2UwMKJBlzdtn2b1KatdPEMXldlJ/6m9H4zwK38/PFYaaw03WHv4nsCxe
xh657D7mYRdS/ACrOCDssa/lDSXAJd21kiQM4pxkK2etvD5H3ZF/2m4C2FcG/Ppb
d2IwGhPbzknmLyxBihhluggCh0zlV2JOeeGu4oKp1dL8doUPoYxZ38gRXdlrdLdC
uCkv6Mp2uBhlWxY2Z2CIF9LmIz6+ve7ySWrsJXf+cAqBJ8+Vzz8xAJRDIyPyxJvh
3vihGNgrAN1uVJp7D6qQDQ0m+nWVG0ifxQhNLQiH8/EDJWMq0vhAKt7flyy40vAc
NwPN+F59seyVVKyTmnd9AB3UdteEe/tjOYFHWM5+x6WvzgXP/UZCgTtAApQVyc2w
Wab0T1b0jzqURpnhFpj8m6S0NfJuctsYUFrZPl4b1Ma05nv8caKy4of//ajoG2A0
dJgKaG9bqCwGsfmj07C/eP+CYP4n4ea4GfeYwv+W1vOLv/LcN7W+rnLadPKh31Rq
+Ziif8PnbkhLHCenPddZrhB9mSfQxK3qKVJavgtW4JhlfxtoPwwYxp9CU991fGEB
8h+6+yWUPakenig+RmcDM8msKifjHP0huoDLFLkBDQRVbLCQAQgAvDTDDkFM70I3
iUFEtPGOCUHtswcujsxt9jjF5librT++NgkEdRhrN3M6+LIpigT90F1WXR8bTJ3F
73Vj/kQvujtvdXy0CzY74U4c7N9Or4hvbiGPGpS3Od4ZhqQhqAaCWhvuSV4aK56J
oiTMaS/TOhkIPxVP0uOUZoriQ7tl3Oiftb+7LY3LiVfH4kAdu0PoosqY7dTVuFZf
i2yS8qNCdvbxc3TBwQRzxtyipPcfd5i5rP0bz+kcCiSWEnIZXZVlO+/ZmzxBh4La
I0vGq/44+GwcuLL59ahBFFdUhX/ezhfH+u3b8pfG+7/oimfI3CM7WXTACe3V4h3K
UnE+NMePnQARAQABiQNEBBgBCgAPBQJVbLCQBQkPCZwAAhsCASkJEJg5m7COvB0Q
wF0gBBkBCgAGBQJVbLCQAAoJENTq4jkKReLW15YH/R+ySOENJy0dUSSxwgJafqa9
8WT0idTZ5Qxd53qeO5JSQaJACsIuvesyhDFuWt0Jk2UAwlcijIS7bD9RrgUvhAtk
CIV9Qw9UDFypubUtW15j08eApYjiXOuClDd5SI+p/1AUBk8DXYd65iOBwD0YFrCw
08/738al1ctCTJANuxu+2DO95QMIZuWm2gYlKcdIn9MKeOlAk5fwwFWjQqiwi1LP
+mKX171HpX3dugqRDFndnTwdGCB/MwSEVQ0ZyOH9RFbcMZVadWHzuUqy9opTss2C
aF7jR2mlX/04eRgmcB+88OAoEwFKmyAm6XgBcWgtj8IAb99PrP0V3CL2GAPiHF6z
xg/+OBiEfjX0TPnKulSiFjm/iG35mqsdcnmDvoA1HA6y9UhGcR1y4O9mFVh+pLSu
Igt6jkV9ta/nQPh9oCqLpebzruunBiAoYXFwtvute7e0HqhQ9libbtzxHnbT4Ft+
TZw39OlzUHpBHH/2k3EAP5cNgj2hGO9Zg4Wp8UKHpTDXynnLMT4M+Lxyf2ztEbEg
GFTqQGXYEjNeoMNzTNHYt/Io3W7YPsFKpAPy+R61Md45J58kicZDHUOE9HyP1kut
b0EGLzyPfZFfq0HFv4bCohyi4NxeC7Lmk0QXrAmmdKmgkgzhDv3HJriWu2f0+xXk
LYzsjKO2gsgQBmGvzj7+68GJIHN+GscftsZVBxqCA+9HaacY5dDiZiFQWbGYw0eu
xOmykOuzc/6Xd2LD1ckE+PfhA08GElzrKAFy8QbQfsAQHXzdIVLljWJF+m/AifBC
RaUf5LzpD4Hmm5ie8fnzflLMB6d1LBBC8xjWF4J8NRsxRKaFK8Oraeh90cf89LXk
PitJEdK6osF6R4SsifDRJhm0zDm2jcQjWnWhhIOM3nTMb90zRMyPbEIAOFPTLMOA
Ksq7d1cENnmzQR3itg/Ii117QhO89xx7pu5MBxVn20R0VMs0Hqoo+Z+Y2X4OwRsT
Kncrrl849alKurbM//OEh0fPG1WjTiawqTkocZqX2Oc7fsO5AQ0EVWywkAEIALcd
7XcAOAUyBHGMbQRqq40bA8LQTIGRaye0BUMLP1wWkOBKedxuzkg5rkYhgfwBGdqa
NI1IvsjSN0X++LEhdWUaEkI3FKkyvsaU7i0jkJSnaCj/JXkW3rj/b8D248kWzGq6
02QLsTt+215E7h+1yY9dJgauIp1OmKC39CYrifuNs5oFIvMVK08WnB+Lg6NQEd5M
ZfN+LnS7J0bEcF2I5KZgcvUi49NhjG7FcazABa5uwOoh8aqzWYVBd782JP3+Mnn1
7uvD65x8Vkx8fkPsQkf9Ul3GZvhiIS2Q55ZCfW8evCjyjy2x23zXQHCSATIfhuQd
t8KGAwwFWdpdjSZKvdUAEQEAAYkDRAQYAQoADwUCVWywkAUJDwmcAAIbDAEpCRCY
OZuwjrwdEMBdIAQZAQoABgUCVWywkAAKCRCftKugvN0B7VC9B/wKLg7VwMDQc5z2
wRg2zRGAUT9vtq/AYHygM0Zqfv+y6WkBmMdXoJq/gr6prH/kmln5KArtpbGeDGZq
U/rXD0avyb04ZlIV6BBbBtVhQOO/A1DZj9/TnAUCFj+XYsHdVv/QFMrdLVv+h+sK
WElh8TgHXzblKRM9zuZiNe7X4dMWiiZD16Mps7Haoj0z/60lb1mhE2SXnxPKoKEQ
IKMiiRi/B4svvTJK5w+aC2sxbq3JDiBivCETXR+17sibw7XmJ6M+IAh6CFFVNh7X
MMRUI71FO9xLjEoxTc30/cKoxNpar4cDx7y9AstSO6g8bMQ1sLHj6pR7v8/2PQJ7
CJ8buUKrRWoP/2Eyx5pfHKh2Lg4RsW8vxa4sFl5ezvzme5zRb2ixPNGvzJlvZJ5M
sc/JnGxzQb+Q8W//2R6SuZ1Y8pWLu0Yl1JF53nunPs6w9bO+BoOy9CeGzIrzF0PV
ugNyXIerCJByjHG1E5bkbY8ij24z1zoad/lRmK/Ahqcp1+PGlgOSsRj97u2FQxEk
oBCKeq8H6NuXUv2+SrFbZnhDqNS8XkQmU9eWSUChv/Yz+EeAR/koa8QmYagtxJNa
ctzb2xumA8x/eTiQp/o+7QhmNrccBaNKMch1Ipe8lCqUbEPXQ1LbQRWneUz9BIcu
W17zINu2w8FnrqCx2SpsM/1WGotDUclsXI+Iyw4XrVFEknGLLiwQjeM2YYZnuYTh
4qDADBSgigXr/bdrGfqiUfGeDrhfowf768P/kj2kVF/nxykKNdB1KWNsQhFVT9xz
bKqjegF1DCQoBqxUl3D67sqtomkBEPTfWuuEd3vBWB2gnQA5ReXda+FuPINXdWaF
jcKvKDt56No8vWWQPlVfOB0v1hqRG5lbhOtE4CnS5s38qPy+CW0ofC3u31HWHh9T
e/LGN4OT+MclNbAvGRHiRDUnANGhz3VDw4JknzDiLnk6Vhosp6D/GWUKoAwwBmtN
KiRlaLD81RecU9AzvULy+vcsPsSzA3pc8bAebAYhvvXIdBBTBi2F/jIm
=9aN+
-----END PGP PUBLIC KEY BLOCK-----
negora

negora

2020-04-25 03:20

reporter   ~0063910

Thank you @vboctor. Will you upload it to some key server? If so, it would be cool if you indicated which one in the downloads area. That way, it would be easier for everyone to verify the downloads.

dregad

dregad

2020-04-25 18:55

developer   ~0063911

Will you upload it to some key server?

To my knowledge, all the keys used to sign our releases are already available on the SKS pool's keyservers and possibly elsewhere too, see for example keys.gnupg.net for the one @vboctor referenced in 0022269:0063909.

That being said, I'm currently working on a KEYS file, listing all the PGP keys ever used for Mantis releases, following the same approach used by the Apache foundation. The file will be bundled within the MantisBT repository (so you will be able to download it from Github), and it will be referenced on our download page as well.

dregad

dregad

2020-04-25 19:28

developer   ~0063913

See the following PR

negora

negora

2020-04-26 07:26

reporter   ~0063916

Perfect. Thank you @dregad !

Related Changesets

MantisBT: master ab440b19

2020-04-25 08:55

dregad


Details Diff
Add KEYS.md: PGP public keys used to sign releases

The files contains basic instructions and lists the PGP public keys of
MantisBT Developers, which were used to sign official release packages
and the corresponding tags in the Git repository.

Issue 0022269
Affected Issues
0022269
add - KEYS.md Diff File

MantisBT: master 2b13777c

2020-04-25 09:30

dregad


Details Diff
KEYS.md: add former developers' PGP keys

Added the public keys used by former developers jreese and dhx to sign
release tags, as well as an old key of vboctor.

Issue 0022269

For future reference, here are the steps and commands used to automate
the process of identifying the missing keys and adding them, as I really
didn't want to manually check all 182 tags in he repository.

1. Find all annotated tags
```
git for-each-ref --format="%(objecttype) %(refname:short)" refs/tags |
grep ^tag |cut -d" " -f2| sort -V >/tmp/annotated-tags
```
2. Get all signed tags (removing annotated tags without signature), with
GPG verification data on a single line
```
cat /tmp/annotated-tags |
xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' |
grep -v "error: no signature found" >/tmp/signed-tags-data
```
3. Identify the missing keys from the tags for which the signature could
not be checked (i.e. excluding those for which we already have a
public key). The command prints the number of identified keys.
```
cat /tmp/signed-tags-data |
sed -rn "/gpg: Can't check signature/s/^.*using \w+ key (\w+).*$/\1/p" |
sort -u |tee /tmp/missing-keys |wc -l
```
4. Retrieve the missing keys from keyserver. The command should import
the same number of keys as identified at step 3.
```
cat /tmp/missing-keys |cut -d" " -f1 |xargs gpg --receive-keys
```
5. Review, sign and trust the newly added keys.
```
cat /tmp/missing-keys |cut -d" " -f1 |xargs -n1 gpg --sign-key
```
6. Verify that we have successfully added all the necessary keys: the
following command should return an empty list.
```
cat /tmp/signed-tags-data |cut -d" " -f1 |
xargs -n1 -I TAG bash -c 'echo "TAG $(git verify-tag TAG |& paste -s)"' |
grep -v "Good signature"
```
Affected Issues
0022269
mod - KEYS.md Diff File

Website: master bd0b2635

2020-04-25 15:17

dregad


Details Diff
Reference KEYS file on Downloads page

Fixes 0022269
Affected Issues
0022269
mod - download.php Diff File