fix: embed Codecov PGP public key instead of fetching from Keybase#73
Merged
Conversation
The Keybase endpoint https://keybase.io/codecovsecurity/pgp_keys.asc now returns "SELF-SIGNED PUBLIC KEY NOT FOUND" instead of the key, which was piped into gpg --import and broke CLI signature verification for everyone. Embed the armored Codecov Uploader public key directly in validate.sh and the built codecov.sh so verification no longer depends on Keybase, and teach package.py to preserve the PGP block verbatim during the build. Co-authored-by: Cursor <cursoragent@cursor.com>
jason-ford-codecov
approved these changes
Jun 7, 2026
This was referenced Jun 7, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
https://keybase.io/codecovsecurity/pgp_keys.ascnow returns the literal stringSELF-SIGNED PUBLIC KEY NOT FOUNDinstead of the public key. That string was being piped intogpg --import, sogpg --verifyof the CLI'sSHA256SUMfailed for every user runningcodecov.sh.2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869) directly inscripts/validate.shand the releaseddist/codecov.sh, removing the runtime dependency on Keybase.package.pyto preserve the embedded PGP block verbatim during the build (it otherwise strips the required blank line and rewritesCODECOV→CC, which would corrupt the key on the next rebuild).Notes
dist/codecov.shwas edited minimally rather than regenerated, to avoid pulling in unrelated unreleasedscripts/changes during the incident.=ch7z).Test plan
gpg --no-default-keyring --import→key 806BB28AED779869 ... imported, exit 0, no armor warnings.python package.pyreproduces an identical, clean-importing PGP block from source.keybasereferences remain inscripts/validate.shordist/codecov.sh.CODECOV_WRAPPER_VERSIONand runmake deployto release (follow-up).Made with Cursor