4c43b7d41d11072f382f938379d21cd2e0bcbb47 contrib: use hkps://keys.openpgp.org to retrieve builder keys (fanquake)
Pull request description:
`hkps://hkps.pool.sks-keyservers.net` is essentially no-longer functional,
and a number of distributions and GPG tools have since switched to using
the `keys.openpgp.org` key server as their default.
See this Debian patch for additional context:
https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
Switch to using keys.openpgp.org in the CI as well.
ACKs for top commit:
MarcoFalke:
cr ACK 4c43b7d41d11072f382f938379d21cd2e0bcbb47
Zero-1729:
ACK 4c43b7d41d11072f382f938379d21cd2e0bcbb47
Tree-SHA512: e6c72b67778b76f81c659eee0e4195fea9e579587c64921affd35b9d46a077d4e8754b7fb85ca90a9a4bbc5cd5a47b0c6e4c9dbf9a335418a12f774d665e5a19
bd6a24307564a56d54d98331d5e1680d27ddc09e script: Add Keyserver to verify-commits README (Emil Engler)
Pull request description:
When I use the option with the default keyserver on `gpg (GnuPG) 2.2.12` from the Debian repositories only the keys from meshcollider and fanquake are actually found. Using the ubuntu keyserver works without any problems and all keys are getting found.
As this keyserver is also suggested on [https://bitcoincore.org/en/download/](), it would be good to have a common keyserver.
ACKs for top commit:
laanwj:
ACK bd6a24307564a56d54d98331d5e1680d27ddc09e, better to be explicit here
Tree-SHA512: d4127c42490390bed4e0074ebb1f8a6cc983f96bbea0ec1da011a93bed325a7f465ed9936e4bc2ef7c4b2e4501a2868d00b67ceb7bf85f2a902db9c6173a6c61
a786c3b30639a63ded5b3b81c393d56336d34dce Slight tweak to the verify-commits script directions (Douglas Roark)
Pull request description:
Clarify that GnuPG may be used on both Linux and macOS to obtain the keys required to verify the commits.
Tree-SHA512: cec556370f03e00bbd6f585d26b360ca236cf55cb5c0996f6d950d8a98f77c92cc02f1719c8f9b9dc9eac6900eb341a13b50a012752832f39095b7e84046f2cd
45842c3d2 Improve documentation for running verify-commits.py script (Jameson Lopp)
Pull request description:
I ran into 3 different issues while trying to run the verify-commits script for the first time and I think documenting them would help save time for future developers.
1. I was trying to just run it with "python" and didn't realize I had multiple python versions installed and this script is only syntactically valid for python 3.x.
2. I needed to import the trusted keys
3. The script was hanging because it was triggering my yubikey for signature verification
Tree-SHA512: dfc7a62972ca3de528fae3c9d420c7d2d6658767a555ebbf5f4a27c04748c35ccf8bf63bfc9f264358346de0db49bfbaf2d1540793a609d81c2d9b622ee8182c
e5b2cd8e7564b9fc2ed4f63fe49efb0af60b4460 Use python instead of slow shell script on verify-commits (Chun Kuan Lee)
Pull request description:
The cron job that runs every day would fail because of git checkout a single commit, not a branch.
#12708 introduce a method to check whether merges are clean.
However, there are four merges are not clean.
So, I add a list of merges that are dirty and ignore them.
Also, I modify the current shell script to python, it makes the script speed up a lot.
The python code `tree_sha512sum` was copied from `github-merge.py`
I've re-designed this. Now we verify all the things by default.
- Add `--disable-tree-check` option, not to check SHA-512 tree
- Add `--clean-merge NUMBER` option, only verify commits after <NUMBER> days ago
Travis running time:
|option|time|
|-|-|
|verify-commits.py|[25m47.02s(1547.02s)](https://travis-ci.org/ken2812221/bitcoin/jobs/373321423)|
|verify-commits.py --disable-tree-check|[19m10.08s(1150.08s)](https://travis-ci.org/ken2812221/bitcoin/jobs/373321423)|
|verify-commits.py --clean-merge 30|[9m18.18s(558.18s)](https://travis-ci.org/ken2812221/bitcoin/jobs/373321423)|
|verify-commits.py --disable-tree-check --clean-merge 30|[1m16.51s(76.51s)](https://travis-ci.org/ken2812221/bitcoin/jobs/373321423)|
Since the cron job always fail, I've created a respository to verify this daily.
[![Build Status](https://travis-ci.org/ken2812221/bitcoin-verify-commits.svg?branch=master)](https://travis-ci.org/ken2812221/bitcoin-verify-commits)
Tree-SHA512: 476bcf707d92ed3d431ca5642e013036df1506120d3dd2aa718f74240063ce856abd78f4c948336c2a6230dfe5c60c6f2d52d19bdb52d647a1c5f838eaa02e3b
9471576 [verify-commits] Add some additional useful documentation. (Matt Corallo)
de7e931 Add Marco-expired-key-signed-commits to allow-revsig-commits (Matt Corallo)
99f6d48 Revert "test: Update trust git root". (Matt Corallo)
Pull request description:
7deba93bdc was took the wrong approach to updating verify-commits for a key expiration. Namely, adding each commit to allow-revsig-commits should have been done instead, allowing them to still be validated, but with the expired key.
Tree-SHA512: 9fdc67eda8f6daa95082f6c1a2af81beb730a9ff3f8cf930bb2311fe29b5f05e1f89259aba5f112153ca2e9c62577cf60d31b4c8e9ac1bf3f5506e78f8401378
Signed-off-by: pasta <pasta@dashboost.org>
# Conflicts:
# contrib/verify-commits/allow-revsig-commits
1e9aab0 Remove sipa's old revoked key from verify-commits (Peter Todd)
966151e Add README for verify-commits (Peter Todd)
11164ec Remove keys that are no longer used for merging (Peter Todd)
22421fa Remove pointless warning (Peter Todd)
9523e8a Make verify-commits path-independent (Matt Corallo)
f7d4a25 Make verify-commits POSIX-compliant (Matt Corallo)