Skip to content

Commit

Permalink
Document pgp artifact signing keys
Browse files Browse the repository at this point in the history
Closes #3084
  • Loading branch information
krmahadevan committed Mar 7, 2024
1 parent 832cff4 commit 438674c
Show file tree
Hide file tree
Showing 3 changed files with 127 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGES.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
Current (7.10.0)
Fixed: GITHUB:3084: Document project's PGP artifact signing keys (Krishnan Mahadevan)
Fixed: GITHUB:3040: replace the usages of synchronized with ReentrantLock (Krishnan Mahadevan)
Fixed: GITHUB-3041: TestNG 7.x DataProvider works in opposite to TestNG 6.x when retrying tests. (Krishnan Mahadevan)
Fixed: GITHUB-3066: How to dynamically adjust the number of TestNG threads after IExecutorFactory is deprecated? (Krishnan Mahadevan)
Expand Down
37 changes: 37 additions & 0 deletions KEYS
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
pub rsa2048 2016-12-01 [SC]
C4F54D8622C95CC3F098721A0F13D5631D6AF36D
uid [ unknown] Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
sig 3 0F13D5631D6AF36D 2016-12-01 [self-signature]
sub rsa2048 2016-12-01 [E]
sig 0F13D5631D6AF36D 2016-12-01 [self-signature]

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFhAKr0BCACpCBFAMXU7scE/5BmSA3strabxRphlB1g0M63I2zP5ibrzK63c
mTwz/rWwpeUnBgxe9wVArvvV2NFi4qNUqZVd5luxBIWE1btE8nSKLLuOSbTfOOW0
mXFBTnUQVDp1IYH8aX0lktbypiMifAio6YwFc35hHe8p+z9J4mzxS8BMutITcyG1
ze8yUabwo8jkBJzIHZhhcHE0Y+dOAmrHlkE5LKtqGnYLmcP0FZ3WEpp/0DsQ+drE
+APikLWQmqItdESZmp7J/qI1T3jLQ8V6+E8ZCgDfij+HxIl1BDThoDjqPs5paNYv
9KEtPslLudMS5Ffq3sCBtOYV9L6ee8gkazRPABEBAAG0R0tyaXNobmFuIE1haGFk
ZXZhbiAoa3JtYWhhZGV2YW4ta2V5KSA8a3Jpc2huYW4ubWFoYWRldmFuMTk3OEBn
bWFpbC5jb20+iQE5BBMBCAAjBQJYQCq9AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
HgECF4AACgkQDxPVYx1q823Dygf7BpWRvHhevZntcBZ2VAQhnfpsisqHKTDDIxde
U9SibR6CeVOKRqU1sPZSoZDwVWzpt0FF0fIEojbnvIMNrI4WgOT5xTr265irY33w
0p8Rjeco3IQSlaoZSGs/dw118TrwhCEcvBfiv7L5tETB1WlAF2SLxEbqP2wK2hTj
F4zE0SSmzztJaEJvVncw7EfFzHpLtRCAwoWmZqNnadQeeq6c52EnVOlqxzld8aO/
v8mOMvgfZvwvylKauPZN/mseXOQeVBJg0OF9gUlXhTK2nM0jUSNQvAp/MJ4IjV0P
GwHJi+YINJYMTU0pjkjBdThnFqD6waqeDUZJG/0CceLUlJdUEbkBDQRYQCq9AQgA
oQ0sIv/pfLE58MWBEOM0975BXnLTTzgbvbpY4AG9ZBecs2p2lFQ5VxwS6LO1LPPw
lZ829ry8k+6D1TQtxC31m1cJNUgTNHRR7Cc+qQTdWA7bHjJgZYrQBZbC62AM7q69
fu9fwVuVK65UzTLDWwAZ32mQXIwBa1RB/lz9pOWJJEr663yqh1IczY0FYKPyOjAf
YQ9RNFDcIRPEjP7TGd+tJIwDQHeimbSNAh6X4RY625vKKTxw0tJzXSXs2XisTYHj
iwENDHR/RNKJiW/VqEtwHGmwe60XJDX5GiW4Dp0Owk8LCG7m5ERx+OypBuoJ+VUt
qJlRyQ/Xi2DKO+dwqrVSawARAQABiQEfBBgBCAAJBQJYQCq9AhsMAAoJEA8T1WMd
avNtePEIAI/ncSquvPBOxPS7naiCShtTVxzC8MmwsqLmnx4lFGxy0ElSOwlWX6g7
2/KnIhXrMcpbbTtruv3DKNmh3br3nmFg7y2Rt+u+GLbY3Ms8BHQU7esPt4Hey4iH
/C/3F3KPV6gt9Mx2d4VQKSoinkavK77H7DRBtDMTyYpoqSS7wYLDQsJ0kPSCDupU
QXsc2cNyd0Pb89xfXqEE0ntrB63eThT5+loFm/eaP0mTdzLn+gQ/VruuPibxEoXL
0gK3z75V8muX20TJXhc4F3tGCkVZ8nDgnrbwj0e9FsqLfthYIDxjyc+JVU1ip5E/
3GB9FoYfKJ5nm4+32uWtSw+9cZWh4Bc=
=mMe+
-----END PGP PUBLIC KEY BLOCK-----
89 changes: 89 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,92 @@ Refer our [Contributing](.github/CONTRIBUTING.md) section for detailed set of st

If your pull request involves fixing SonarQube issues then we would suggest that you please discuss this with the
[TestNG-dev](https://groups.google.com/forum/#!forum/testng-dev) before you spend time working on it.

### GPG Keys

#### Getting the keys

Download the keys as shown below:

```bash
gpg --keyserver keyserver.ubuntu.com --recv-keys 0F13D5631D6AF36D
gpg: key 0F13D5631D6AF36D: "Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
```

#### Trusting the keys

Trust the keys as shown below:

```bash
gpg --edit-key 0F13D5631D6AF36D
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec rsa2048/0F13D5631D6AF36D
created: 2016-12-01 expires: never usage: SC
trust: full validity: unknown
ssb rsa2048/7295B61CC8DD9AE8
created: 2016-12-01 expires: never usage: E
[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>

gpg> trust
sec rsa2048/0F13D5631D6AF36D
created: 2016-12-01 expires: never usage: SC
trust: full validity: unknown
ssb rsa2048/7295B61CC8DD9AE8
created: 2016-12-01 expires: never usage: E
[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec rsa2048/0F13D5631D6AF36D
created: 2016-12-01 expires: never usage: SC
trust: ultimate validity: unknown
ssb rsa2048/7295B61CC8DD9AE8
created: 2016-12-01 expires: never usage: E
[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> exit
Invalid command (try "help")
gpg> quit
```
#### Verifying the signature
1. Download the `.asc` file from `https://repo1.maven.org/maven2/org/testng/testng/<versionGoesHere>`
2. Run the command `gpg --verify testng-<versionGoesHere>.jar.asc testng-<versionGoesHere>.jar`
3. You should see an output as below:
```bash
gpg: Signature made Tue Dec 26 15:06:16 2023 IST
gpg: using RSA key 0F13D5631D6AF36D
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>" [ultimate]
```
For more details regarding keys please refer:
* [Verifying Signature](https://infra.apache.org/release-signing.html#verifying-signature)
* [How to Trust Imported GPG Keys](https://classroom.anir0y.in/post/blog-how-to-trust-imported-gpg-keys/)

0 comments on commit 438674c

Please # to comment.