Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
59 additions
and
82 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add the sig file? https://dl.yarnpkg.com/debian/pubkey.gpg.sig gets a 404
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To add the new key to
apt
:4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kingpinzs - What is supposed to be in that file? I don't think it has ever existed.
@ohmtech-rdi Sorry for the inconvenience. There's a PR somewhere to make this a better process, but I didn't get around to reviewing it and Yarn v1 is mostly in maintenance mode now.
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Daniel15 yarnpkg/yarn#4453 (comment) Key integrity check
https://central.sonatype.org/publish/requirements/gpg/#signing-a-file
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kingpinzs That file has never existed in the repo, so that'd be a new feature request.
What's the point of signing a GPG key with the GPG key itself? 🤔 The key is the same, it's just got a longer expiry date now.
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't be to make sure it never got modified either on the server or on the way to the device pulling it down?
I might be completely wrong.
But I figure:
GPG file signature checking is used to verify the authenticity and integrity of a file. A digital signature is created by encrypting a hash of the file using the private key of the signer. When the file is received, the signature can be decrypted using the signer's public key and the hash of the received file can be compared to the decrypted hash. If the hashes match, it verifies that the file has not been tampered with and was indeed signed by the specified signer. This ensures that the file came from a trusted source and has not been modified during transmission.
4ad43f2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still fails for me I think:
Do I just have to add the key to
apt
as @ohmtech-rdi commented?