Skip to content

Security: OpenJobDescription/openjd-cli

Security

SECURITY.md

Reporting Security Issues

We take all security reports seriously. When we receive such reports, we will investigate and subsequently address any potential vulnerabilities as quickly as possible. If you discover a potential security issue in this project, please notify AWS/Amazon Security via our vulnerability reporting page or directly via email to AWS Security. Please do not create a public GitHub issue in this project.

OpenPGP Keys for Open Job Description

Current Keys

Select the "Copy" icon to copy the following key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGjxTbwBEACkZXZ8KngkdnGf8jrPsBWKIkSqedI54SwJ8pv7mUYl/Jijs/Vg
kFV98Xy47OVxupTHL+/iCtZOLZ7UDNn2EWEOAPIXxtyrU+zInlVJC5QU1PrSPqL7
vfPxHWuxdbqBdQUzwMymjuSKGc8Deizb4lcl868f5kZHdXVQkD8kYnnxWAY7Z+Xu
gLHoRrJSJPbye9AY4OE88ActZ1Ggj2QwAlK9sVgxg3djXSKvIc6v5BlgnGRPbZAO
SdIjj33e6UrAy30UPRMQGEH1bSs4xe5TFmFxvlIKeF9upANsjWQcYbHQi8wiyNoF
s7difRQ5aEzdLtd0C0Dy56xOeKt6xoK5RK7Wagvsd9vJ98dNiVDe/4dlCkTt8IgT
jHVUAui3fLd4jeoIs1BnV/jx0x9XG7iPvoULjOP/Qa+5Rn2O+p+jZoOCix3UI85o
vgXvjbCyNfTl0K4/dApsQRGM81onTcyI+iYLYNKYge+279vXoTCWIlmER3nkLBIZ
nkh5qkmR1B3VwEe7g+29D5SVJv6aZY55GRW0cOuAbjnhKLEY2BIJK0JMPGBRq9Lb
lItUIkd04IaBd3pkD0jtgD9MfKzSNC0eR5LB+In6wyN+u6efT6CBO10f69MWuxep
m77bhxShxEaysQ0ZyRl9/c/ed40FS7t+b6g/9qnlDGbjvApirhifSySrKQARAQAB
tDRPcGVuIEpvYiBEZXNjcmlwdGlvbiA8b3BlbmpvYmRlc2NyaXB0aW9uQGFtYXpv
bi5jb20+iQJXBBMBCABBFiEECGS4TOY9XBC0rBDmRMlTwjwqZNEFAmjxTbwCGy8F
CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQRMlTwjwqZNGhqA/+
I2xeyL1JJowNeMC89MN4AXXcg2qXzY/OBWLlqMYQntdxmy6xanBE0UYlhqPf2olC
U32ZBnFbdLgMdmCOyfFiDfX6HhC6yl5HeyWrjlZeVri+77zEQNYoTvPEoyxNTxw3
7SmjRhhhUe+W95mRrKpHtwLCzaxF3Zp1eNAZTwtuXWA/ayGrzzqhpLnt99cekzyr
PgiLSHj1+m1WC7k8UqagifHAgUWXbruyG3mpwXOxOyphsB4HICRmTyVV/z4NGpia
rKuOiI49ppVFF25exSzXy7RMcoL+hkuFSQQQTtWG7aTBIKEGkh/DEFXAjcB7cLlu
8VCPEJxqNtMaq0+TN2RLCdwi+h8XC6IeG6xTXCqQ6Gafi+2eF8uW7jysjGCka5Ep
sRNWYPT3NWr0VGYBQlnb0uaw/4iRbG9JQjfx4cW1+3jAjpzzjTKMpJqbl/nf/egS
fdyDVYw8v3Oyr0+t+VDE0SJ9D9biB2PgxVFEW+6mGMj5kNEf+qrFj+tWi/v1A07P
HAp5fcCk98ut1eSP/u2JNXKB5rQZjCmlsH52CnGuvA17Yr96y+spDRzQZz9tblD9
maAz9yOnY0lk1ZvmFWPRudCdvFHOF/NctgVS8msC1+4K4LivUnrLZbG5Ely2sKeX
dRNOSiMDhoCwkIciHeOaUeXfngdby0s5KJPJOWr1bEg=
=OWGp
-----END PGP PUBLIC KEY BLOCK-----

Historical Keys

Select the "Copy" icon to copy the following key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGXGjx0BEACdChrQ/nch2aYGJ4fxHNQwlPE42jeHECqTdlc1V/mug+7qN7Pc
C4NQk4t68Y72WX/NG49gRfpAxPlSeNt18c3vJ9/sWTukmonWYGK0jQGnDWjuVgFT
XtvJAAQBFilQXN8h779Th2lEuD4bQX+mGB7l60Xvh7vIehE3C4Srbp6KJXskPLPo
dz/dx7a+GXRiyYCYbGX4JziXSjQZRc0tIaxLn/GDm7VnXpdHcUk3qJitree61oC8
agtRHCH5s56E8wt8fXzyStElMkFIZsoLDlLp5lFqT81En9ho/+K6RLBkIj0mC8G7
BafpHKlxkrIgNK3pWACL93GE6xihqwkZMCAeqloVvkOTdfAKDHuDSEHwKxHG3cZ1
/e1YhtkPMVF+NMeoQavykUGVUT1bRoVNdk6bYsnbUjUI1A+JNf6MqvdRJyckZqEC
ylkBekBp/SFpFHvQkRCpfVizm2GSrjdZKgXpm1ZlQJyMRVzc/XPbqdSWhz52r3IC
eudwReHDc+6J5rs6tg3NbFfPVfCBMSqHlu1HRewWAllIp1+y6nfL4U3iEsUvZ1Y6
IV3defHIP3kNPU14ZWf3G5rvJDZrIRnjoWhDcaVmivmB/cSdDzphL5FovSI8dsPm
iU/JZGQb3EvZq+nl4pOiK32hETJ/fgCCzgUA3WqGeFNUNSI9KYZgBe6daQARAQAB
tDRPcGVuIEpvYiBEZXNjcmlwdGlvbiA8b3BlbmpvYmRlc2NyaXB0aW9uQGFtYXpv
bi5jb20+iQJXBBMBCABBFiEEvBcWYrv5OB7Tl2sZovDwWbzECYcFAmXGjx0DGy8E
BQkDwmcABQsJCAcCAiICBhUKCQgLAgMWAgECHgcCF4AACgkQovDwWbzECYcSHRAA
itPYx48xnJiT6tfnult9ZGivhcXhrMlvirVYOqEtRrt0l18sjr84K8mV71eqFwMx
GS7e4iQP6guqW9biQfMA5/Id8ZjE7jNbF0LUGsY6Ktj+yOlAbTR+x5qr7Svb7oEs
TMB/l9HBZ1WtIRzcUk9XYqzvYQr5TT997A63F28u32RchJ+5ECAz4g/p91aWxwVo
HIfN10sGzttoukJCzC10CZAVscJB+nnoUbB/o3bPak6GUxBHpMgomb0K5g4Z4fXY
4AZ9jKFoLgNcExdwteiUdSEnRorZ5Ny8sP84lwJziD3wuamVUsZ1C/KiQJBGTp5e
LUY38J1oIwptw5fqjaAq2GQxEaIknWQ4fr3ZvNYUuGUt5FbHe5U5XF34gC8PK7v7
bT/7sVdZZzKFScDLfH5N36M5FrXfTaXsVbfrRoa2j7U0kndyVEZyJsKVAQ8vgwbJ
w/w2hKkyQLAg3l5yO5CHLGatsfSIzea4WoOAaroxiNtL9gzVXzqpw6qPEsH9hsws
HsPEQWXHmDQvFTNUU14qic1Vc5fyxCBXIAGAPBd20b+219XznJ5uBKUgtvnqcItj
nMYe6Btxh+pjrTA15X/p81z6sB7dkL1hPHfawLhCEzJbIPyyBTQYqY00/ap4Rj7t
kzSiyzBejniFfAZ6eYBWsej7uXUsVndBF1ggZynPTeE=
=iaEm
-----END PGP PUBLIC KEY BLOCK-----

Verifying GitHub Releases

You can verify the authenticity of the release artifacts using the gpg command line tool.

  1. Download the desired release artifacts from the GitHub releases page. Make sure to download the corresponding PGP signature file (ending with .sig) as well. For example, if you would like to verify your download of the wheel for version x.x.x, you should have the following files downloaded:

    openjd_<package>-x.x.x-py3-none-any.whl
openjd_<package>-x.x.x-py3-none-any.whl.sig

  2. Install the gpg command line tool. The installation process varies by operating system. Please refer to the GnuPG website for instructions: https://gnupg.org/download/

  3. Save the OpenPGP key from the OpenPGP Keys for Open Job Description section above to a file called openjobdescription-pgp.asc.

  4. Import the OpenPGP key for Open Job Description by running the following command:

    gpg --import --armor openjobdescription-pgp.asc

    Response:

    gpg: key ################: public key "Open Job Description <[email protected]>" imported

  5. Determine whether to trust the OpenPGP key. Some factors to consider when deciding whether or not to trust the above key are:

    • The internet connection you’ve used to obtain the GPG key from this website is secure
    • The device that you are accessing this website on is secure

    If you have decided to trust the OpenPGP key, then edit the key to trust with gpg like the following example:

    $ gpg --edit-key **<replace with 16 character key from step 4>**
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/BCC40987  created: 2024-02-09  expires: 2026-02-08  usage: SCEA
                     trust: unknown       validity: unknown
[ unknown] (1). Open Job Description <[email protected]>

gpg> trust
pub  4096R/BCC40987  created: 2024-02-09  expires: 2026-02-08  usage: SCEA
                     trust: unknown       validity: unknown
[ unknown] (1). Open Job Description <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/BCC40987  created: 2024-02-09  expires: 2026-02-08  usage: SCEA
                     trust: ultimate      validity: unknown
[ unknown] (1). Open Job Description <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

  6. Verify the signature of the Open Job Description release via gpg --verify. The command for verifying the example files from step 1 would be:

    gpg --verify ./openjd_<package>-x.x.x-py3-none-any.whl.sig ./openjd_<package>-x.x.x-py3-none-any.whl

There aren’t any published security advisories