(New Key) Generating new PGP key for signing artifacts starting 3.0.0 with @opensearch.org email

[peterzhuamazon]

In the past years we are using the [email protected] email to generate / renew PGP key that signs the artifacts.

• [Question] Upcoming expiration of our current sub public key (expire on 20220511) #2040
• [Renew Key] Upcoming expiration of our current sub public key (expire on 20230512)  #2136
• [Renew Key] Upcoming expiration of our current sub public key (expire on 20240512) #3468
• [Renew Key] Upcoming expiration of our current sub public key (expire on 20250512) #4669

There is also another key for rubygems here:

• [Renewal] Re-new/Update Rubygems Public Key Until 20250726 #4893

There is also a set of keys now just for terraform provider:

• https://github.com/opensearch-project/terraform-provider-opensearch/

Starting from 3.0.0, we would like to generate a new PGP key with @opensearch.org email.

Some thoughts:

• New key will switch from 1 year expiration of the sub-public key to every 5 years
• Not sure if we want to keep the key activate for unlimited amount of time to avoid further renewal.
• Possible email [email protected] to replace [email protected]? Welcome suggestions.
• Renew the old key C5B7498965EFD1C2924BA9D539D319879310D3FC OpenSearch project <[email protected]> as long as 2.x is still in maintenance mode, and expire after the maintenance window.
• The old key will be compatible with 1.x/2.x artifacts verifications, but not 3.0.0. Similarly, the new key will be compatible with 3.x and above.
• Rubygems is a different case so we can work on that later once main artifact key is generated and released alongside 3.0.0.

Thanks.

[peterzhuamazon]

Hi @getsaurabh02 @Pallavi-AWS @prudhvigodithi @gaiksaya @rishabh6788 @zelinh please share your thought about it.

Thanks.

[peterzhuamazon]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

Welcome suggestions.

Thanks!

[reta]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like [email protected] option but I honestly don't really know if there are well established conventions there

[prudhvigodithi]

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

[peterzhuamazon]

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

Hi @prudhvigodithi which part of the code is having that public key?
And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

[peterzhuamazon]

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like [email protected] option but I honestly don't really know if there are well established convetions there

I think I also saw [email protected] or similar, maybe [email protected] can also be a choice here, or even security@.

I do see things like rvm just use personal email for signing as well.

[prudhvigodithi]

Hi @prudhvigodithi which part of the code is having that public key? And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

Here is the code link Peter using GH secrets to sign and release the provider and yes the public key is uploaded to opentofu and haschicorp registries, so the provider is validated during initialization.
Thanks