mozilla-services/product-delivery-team-pubkeys

Name: product-delivery-team-pubkeys

Owner: Mozilla Services

Description: SSH public keys for the full time Frenchies Cloud Services group at Mozilla

Created: 2015-11-03 09:40:46.0

Updated: 2017-07-20 09:02:11.0

Pushed: 2017-11-07 19:33:03.0

Homepage: null

Size: 39

Language: null

GitHub Committers

UserMost Recent Commit# Commits

Other Committers

UserEmailMost Recent Commit# Commits

README

WARNING

Never, ever just clone this repo and trust the pubkeys! Use the GPG signature to validate it first!

GPG Key information
How to verify a key
$ gpg --keyserver keys.mozilla.org --recv-keys 2EFAB48B
$ gpg --verify rhubscher.sig rhubscher.pub
The problem we try to solve

The storage team builds test/dev tools using one-off AWS instances. Some of these tools become indispensable, yet, don't warrant being monitored and managed by ops.

In the past, tools have broken down while their creators were on vacation or unavailable, leading to bummer-times for everybody involved–either sshing into a box while on PTO, or the tool just being borked for days.

The solution

This repo contains public keys for the storage team crew.

If toolmakers upload their fellow devs' pubkeys to a long-lived awsbox, anybody can reboot or troubleshoot a downed machine when its creator is out on vacation.

Yay vacation.

How to use

Only use the pubkeys verified with the storage team public key.

$ gpg --verify rhubscher.sig rhubscher.pub
When to use

If you create a tool on an awsbox that someone might need to maintain while you're away, then you can upload the storage-team-pubkeys to that awsbox and relax.

$ for file in $(ls *.sig); do gpg --verify ${file} ${file/%.sig/.pub}; done
$ cat *.pub > ~/.ssh/authorized_keys
How to update with new keys

File a Pull-Request to this repository and send an email with the sha384sum of your key at storage-team@mozilla.com

Someone will validate the sha384sum and sign your public key with the storage-team GPG key before merging your pull-request.

We trust github and git because you can't modify the keys without resigning them with the right GPG key.

How to sign the key

You first need the storage team secret key and password.

Then you can run:

$ gpg --default-key 0x2EFAB48B  -o rhubscher.sig --detach-sign rhubscher.pub
This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.