Fetch signing keys from GitHub or Bintray

[michaelklishin]

This module downloads signing key from rabbitmq.com. Team RabbitMQ deprecated downloads from rabbitmq.com a couple of years ago (see Signatures). Why? We don't want to be distributing artifacts, there are services that do it better.

The key is available from Bintray and GitHub. Please switch to one of those locations.

The current key isn't going to be removed from rabbitmq.com but when it's time to renew, it may or may not make the cut.

[wyardley]

Are there any releases for which F4E789204D206F89 is still valid, and if so, is that accessible from anywhere?

[michaelklishin]

@wyardley we've migrated to the new key about 3 years ago (mailing list announcement). 3.5.8 and early 3.6.x releases were all signed with the new key. We re-signed even legacy apt repositories on rabbitmq.com IIRC.

The old key is available from Bintray. I honestly thing we can consider it to be irrelevant.

[wyardley]

@michaelklishin I have to double check - module’s default behavior actually ships 3.3.x (from the vendors’ repos) on certain platforms, tho I guess in that case it will probably be signed with the vendor’s key? I feel like there’s a reason that we have the old key imported in one or two places, but could be wrong.

[juniorsysadmin]

Ideally the public key should be included with this module and not fetched as well.

[wyardley]

@juniorsysadmin I agree that that's probably the most secure way. Do you have time / inclination to throw up a PR to switch it to this pattern?

[juniorsysadmin]

@wyardley I have sadly not much time for this at the moment.