Etcd: Public GPG keys

We use sub-key with CoreOS Application Signing Key <[email protected]> to sign our releases. It might be different than the Container Linux signing keys.

@robszumski @dghubble @philips
Any thoughts?

@gyuho I think the first step to document which key we used to sign our release in the release note?

I think the first step to document which key we used to sign our release in the release note?

The signature already specifies which key was used to sign, so there is no need. The key is hosted on coreos.com, but we should add it to other key servers if it isn't already there.

@crawford

I did find this after some searching, but it failed with a "signature made by unknown entity" error.

This is the users' issue. There are two parts:

1. we should avoid searching. so we probably should add small notes linking to https://coreos.com/security/image-signing-key/ to make it explicitly as the first step

2. we should avoid unknown entity error thing. As you mentioned, we should add keys to other key servers.

I will upload our pub keys to other servers when next release happens.

Assuming the Application Signing Key works, then I'd be happy with simply documenting its existence in the project's README or as part of the notes for each release.

@dradtke We will doc it in the release note.

To clarify, I tested it again, and the image signing key fails with an error (which is expected since it's the wrong key), but the app signing key works. 👍 for linking to the app signing key in the release notes.

We now include app signing key link in our release notes.

https://github.com/coreos/etcd/releases/tag/v3.0.16

Thanks!