# gpgkeys.txt is broken



## mms (Aug 12, 2021)

```
$ gpg --allow-non-selfsigned-uid --no-default-keyring --keyring /tmp/tmp.s7YEIIZX --import /tmp/tmp.oVtOGme1
...
gpg: invalid armor header: mQINBF+5ojQBEADSqQjD4h1lOwAGgmz4dK0Zf4JkoJCpQ7jw2B5jigNySdKf1rQN\n                                                                 
gpg: CRC error; DDCBB0 - 42D3D7                                                                                                                               
gpg: [don't know]: invalid packet (ctb=48)                                                                                                                     
gpg: read_block: read error: invalid packet                                                                                                                   
gpg: import from `/tmp/tmp.oVtOGme1' failed: invalid keyring                                                                                                   
gpg: Total number processed: 263                                                                                                                               
gpg:               imported: 263  (RSA: 166)                                                                                                                   
gpg: no ultimately trusted keys found
```

The problem is a missing empty line before `mQINBF+5ojQBEADSqQjD4h1lOwAGgmz4dK0Zf4JkoJCpQ7jw2B5jigNySdKf1rQN` (currently at line 49955).

Please fix this asap, we are relying on that file for automated release ISO signature validation.


As a side note, the hosting of that file is also sort of broken. The download breaks frequently like in the following example (from today):

```
$ fetch -o /tmp/tmp.oVtOGme1 -- 'https://docs.freebsd.org/pgpkeys/pgpkeys.txt'                                            
/tmp/tmp.oVtOGme1                              87% of 5481 kB 1259 kBps    04s                                                                                 
fetch: /tmp/tmp.oVtOGme1 appears to be truncated: 4905771/5612792 bytes
```

As another side note: Why are you not using some sane key to sign the releases (like the security officer key) that would allow you to validate an ISO without trusting a couple hundred keys (or jumping through yet another set of hoops for extracting that very particular key)? And while we are at it: why isn't there a sane and well documented process for this (I'm not even talking tools...)? After all, we have the year 2021. I would expect something that doesn't feel homegrown and severly outdated. And I certainly don't want to download and validate some release ISO to get hold of a trustworthy MANIFEST just to validate a base.txz.

It also doesn't help that the checksum files and the keyring are renamed and moved at will on the website without any notice. This way you also break the processes other people build in lack of an official one. At least give us an HTTP redirect!


----------



## mark_j (Aug 12, 2021)

This is a forum for mainly end-users and some developers.
You need to file an appropriate pr with the port maintainer of gpg, not here.
Complaints about signing need to go to the security officer; see the mailing list(s).


----------



## SirDice (Aug 12, 2021)

This is a user support forum, not the place to report bugs. You can report bugs here: https://bugs.freebsd.org/bugzilla/


----------



## mms (Aug 12, 2021)

mark_j said:


> This is a forum for mainly end-users and some developers.
> You need to file an appropriate pr with the port maintainer of gpg, not here.
> Complaints about signing need to go to the security officer; see the mailing list(s).


It's not about gpg, it's about a file on the project website.

Thanks SirDice, you are right. I've filed a bug: PR 257783

However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.


----------



## SirDice (Aug 12, 2021)

mms said:


> However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.


This is also not the place to do that. There are very few developers or maintainers on the forums, so there are very few people around that could do anything about it. This board is run by users for users. You can find the developers and maintainers on the various mailing lists.


----------



## mms (Aug 12, 2021)

Been there, done that: PR 222044

At which point is it safe to assume that no one cares?


----------



## mark_j (Aug 12, 2021)

mms said:


> It's not about gpg, it's about a file on the project website.
> 
> Thanks SirDice, you are right. I've filed a bug: PR 257783
> 
> However, I would like to keep the discussion open for the rant. The current validation process for deliverables seems severely lacking in many regards.


And you've got a reply to your pr showing it's best to keep your rant (your words)  addressed to the people who can make the changes.


----------



## mms (Aug 12, 2021)

This is true, but I've also got another PR that shows that the issue for my rant (the other side note) is not reaching an interested audience on that channel either.


----------



## SirDice (Aug 12, 2021)

Providing an objective description of issues and problems usually works a lot better. Leave your emotions out of it. I understand things can be frustrating but ranting never helps getting things done.


----------

