6:38 a.m.
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
Notes:
Should we also make the key available for download?
docs/downloads.html.in | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index 43366b3694..aa0bb23d45 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -493,6 +493,20 @@
<li><a href="https://libvirt.org/sources/">libvirt.org HTTPS
server</a></li>
</ul>
+ <h2><a id="keys">Signing keys</a></h2>
+
+ <p>
+ Source RPM packages and tarballs for libvirt and libvirt-python published
+ on this project site are signed with a GPG signature. You should always
+ verify the package signature before using the source to compile binary
+ packages. The following key is currently used to generate the GPG
+ signatures:
+ </p>
+ <pre>
+pub 4096R/10084C9C 2020-07-20 Jiří Denemark &lt;jdenemar(a)redhat.com&gt;
+Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C
+</pre>
+
<h2><a id="schedule">Primary release
schedule</a></h2>
<p>
--
2.28.0
10:28 a.m.
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
Notes:
Should we also make the key available for download?
Now that you've provided the fingerprint, isn't it enough for the users to
fetch it from a keyserver should they wish so?
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>
11:11 a.m.
On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
> Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
> ---
>
> Notes:
> Should we also make the key available for download?
Now that you've provided the fingerprint, isn't it enough for the users to
fetch it from a keyserver should they wish so?
Sure, it is enough. I just wanted to make sure I wasn't the only one who
thought so :-)
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>
Pushed, thanks.
Jirka
1:34 p.m.
On 10/14/20 11:11 AM, Jiri Denemark wrote:
On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
> On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
>> Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
>> ---
>>
>> Notes:
>> Should we also make the key available for download?
>
> Now that you've provided the fingerprint, isn't it enough for the users to
> fetch it from a keyserver should they wish so?
Sure, it is enough. I just wanted to make sure I wasn't the only one who
thought so :-)
The problem is that more and more keyservers are being rendered
worthless by spam keys exploiting their append-only nature, which makes
them no longer an ideal way to get a key. I'd recommend making it
available for download here in addition to the keyservers.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
1497
days inactive
1502
days old
3 comments
3 participants
participants (3)
-
Eric Blake -
Erik Skultety -
Jiri Denemark