(New Key) Generating new PGP key for signing artifacts starting 3.0.0 with @opensearch.org email

[peterzhuamazon]

In the past years we are using the opensearch@amazon.com email to generate / renew PGP key that signs the artifacts.

• [Question] Upcoming expiration of our current sub public key (expire on 20220511) #2040
• [Renew Key] Upcoming expiration of our current sub public key (expire on 20230512)  #2136
• [Renew Key] Upcoming expiration of our current sub public key (expire on 20240512) #3468
• [Renew Key] Upcoming expiration of our current/old (C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC) sub public key (expire on 20250512) #4669

There is also another key for rubygems here:

• [Renewal] Re-new/Update Rubygems Public Key Until 20250726 #4893

There is also a set of keys now just for terraform provider:

• https://github.com/opensearch-project/terraform-provider-opensearch/

Starting from 3.0.0, we would like to generate a new PGP key with @opensearch.org email.

Some thoughts:

• New key will switch from 1 year expiration of the sub-public key to every 5 years
• Not sure if we want to keep the key activate for unlimited amount of time to avoid further renewal.
• Possible email release@opensearch.org to replace opensearch@amazon.com? Welcome suggestions.
• Renew the old key C5B7498965EFD1C2924BA9D539D319879310D3FC OpenSearch project <opensearch@amazon.com> as long as 2.x is still in maintenance mode, and expire after the maintenance window.
• The old key will be compatible with 1.x/2.x artifacts verifications, but not 3.0.0. Similarly, the new key will be compatible with 3.x and above.
• Rubygems is a different case so we can work on that later once main artifact key is generated and released alongside 3.0.0.

Thanks.

[peterzhuamazon]

Hi @getsaurabh02 @Pallavi-AWS @prudhvigodithi @gaiksaya @rishabh6788 @zelinh please share your thought about it.

Thanks.

[peterzhuamazon]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

• release@opensearch.org
• signing@opensearch.org
• artifacts@opensearch.org
• devops@opensearch.org
• infra@opensearch.org
• security@opensearch.org

Welcome suggestions.

Thanks!

[reta]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like release@opensearch.org option but I honestly don't really know if there are well established conventions there

[prudhvigodithi]

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

[peterzhuamazon]

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

Hi @prudhvigodithi which part of the code is having that public key?
And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

[peterzhuamazon]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like release@opensearch.org option but I honestly don't really know if there are well established convetions there

I think I also saw devops@something.com or similar, maybe infra@opensearch.org can also be a choice here, or even security@.

I do see things like rvm just use personal email for signing as well.

[prudhvigodithi]

Hi @prudhvigodithi which part of the code is having that public key? And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

Here is the code link Peter using GH secrets to sign and release the provider and yes the public key is uploaded to opentofu and haschicorp registries, so the provider is validated during initialization.
Thanks

[peterzhuamazon]

We will use release@opensearch.org since there is no strong opinion on this.

Thanks.

[krisfreedain]

Catch All Triage - 1 2

[peterzhuamazon]

@reta @andrross @getsaurabh02 @prudhvigodithi @gaiksaya @Divyaasm :

In order to not breaking yum/apt repo, I think we still need to renew the old key here for 2.19.x, while create the new key for 3.x with release@opensearch.org.

cc: @krisfreedain that we need to update https://opensearch.org/verify-signatures.html with two keys.

Thanks.

[krisfreedain]

@peterzhuamazon - happy to help - let me know when you have the updates

[zelinh]

For clients released to PyPi, I think they already removed PGP signature requirement, so we don't need to worry about that part.

[peterzhuamazon]

New key generated with this keyspec setups:

Key-Type: RSA
Key-Size: 4096
Key-Usage: sign
Name-Comment: OpenSearch Project
Name-Email: release@opensearch.org
Expire-Date: 0
Passphrase: 
%commit

New key fingerprint: A8B2D9E04CD51FEF6AA2DB53BA81D99981191457
Expire: 2027-03-06.

[peterzhuamazon]

Will renew in a new issue here:

• [Renew Key] Upcoming expiration of our new (A8B2D9E04CD51FEF6AA2DB53BA81D99981191457) sub public key (expire on 20270306) #5371

Thanks.

[peterzhuamazon]

Will close once the new 3.0.0 version is out.