[libvirt PATCH] docs: Mention GPG key used for signing releases
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- Notes: Should we also make the key available for download? docs/downloads.html.in | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index 43366b3694..aa0bb23d45 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -493,6 +493,20 @@ <li><a href="https://libvirt.org/sources/">libvirt.org HTTPS server</a></li> </ul> + <h2><a id="keys">Signing keys</a></h2> + + <p> + Source RPM packages and tarballs for libvirt and libvirt-python published + on this project site are signed with a GPG signature. You should always + verify the package signature before using the source to compile binary + packages. The following key is currently used to generate the GPG + signatures: + </p> + <pre> +pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> +Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C +</pre> + <h2><a id="schedule">Primary release schedule</a></h2> <p> -- 2.28.0
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> ---
Notes: Should we also make the key available for download?
Now that you've provided the fingerprint, isn't it enough for the users to fetch it from a keyserver should they wish so? Reviewed-by: Erik Skultety <eskultet@redhat.com>
On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> ---
Notes: Should we also make the key available for download?
Now that you've provided the fingerprint, isn't it enough for the users to fetch it from a keyserver should they wish so?
Sure, it is enough. I just wanted to make sure I wasn't the only one who thought so :-)
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Pushed, thanks. Jirka
On 10/14/20 11:11 AM, Jiri Denemark wrote:
On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> ---
Notes: Should we also make the key available for download?
Now that you've provided the fingerprint, isn't it enough for the users to fetch it from a keyserver should they wish so?
Sure, it is enough. I just wanted to make sure I wasn't the only one who thought so :-)
The problem is that more and more keyservers are being rendered worthless by spam keys exploiting their append-only nature, which makes them no longer an ideal way to get a key. I'd recommend making it available for download here in addition to the keyservers. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
participants (3)
-
Eric Blake -
Erik Skultety -
Jiri Denemark