[PATCH 0/2] downloads: Establish handover of signing releases to Jirka
Peter Krempa (2): docs: downloads: Move 'signatures' section to the end of the document docs: downloads: Establish handover of package signing docs/downloads.html.in | 64 +++++++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 14 deletions(-) -- 2.29.2
Keep the more important stuff outlining how to get to the sources first since the 'signatures' section will be extended. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/downloads.html.in | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index aa0bb23d45..f3152d7557 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -493,20 +493,6 @@ <li><a href="https://libvirt.org/sources/">libvirt.org HTTPS server</a></li> </ul> - <h2><a id="keys">Signing keys</a></h2> - - <p> - Source RPM packages and tarballs for libvirt and libvirt-python published - on this project site are signed with a GPG signature. You should always - verify the package signature before using the source to compile binary - packages. The following key is currently used to generate the GPG - signatures: - </p> - <pre> -pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> -Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C -</pre> - <h2><a id="schedule">Primary release schedule</a></h2> <p> @@ -615,5 +601,19 @@ git clone git://libvirt.org/[module name].git</pre> <a href="https://github.com/libvirt/">https://github.com/libvirt/</a> <a href="https://gitlab.com/libvirt/libvirt">https://gitlab.com/libvirt/</a></pre> + <h2><a id="keys">Signing keys</a></h2> + + <p> + Source RPM packages and tarballs for libvirt and libvirt-python published + on this project site are signed with a GPG signature. You should always + verify the package signature before using the source to compile binary + packages. The following key is currently used to generate the GPG + signatures: + </p> + <pre> +pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> +Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C +</pre> + </body> </html> -- 2.29.2
Starting from libvirt-6.6 the releases are done by Jirka. Add a formal statement from DV handing over the signature. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/downloads.html.in | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index f3152d7557..ca14b3ecba 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -615,5 +615,41 @@ pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C </pre> + <p> + Releases prior to libvirt-6.6 were signed with the following GPG key: + </p> + + <pre> +pub dsa1024 2000-05-31 [SC] +C744 15BA 7C9C 7F78 F02E 1DC3 4606 B8A5 DE95 BC1F +uid [ unknown] Daniel Veillard (Red Hat work email) <veillard@redhat.com> +uid [ unknown] Daniel Veillard <Daniel.Veillard@w3.org> + </pre> + + <pre> +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +Starting from libvirt-6.6.0 the upstream releases will be done by Jiří Denemark +signed with his PGP key: + +pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> +Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C + +This message is signed by the old signing key which was used for previous +releases. +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCAAdFiEE20ZoG7ka3OoXD6LUFViLJllr6l0FAl/8H9cACgkQFViLJllr +6l3iVwgAm9n703/QoIfPbxT5qGQzWK6LNriEcG2R9MLgFcW+UuGA9cqIBLhH1RaJ +q7Gc3gK0dgE2HAF6DxuG5+nkDY6LdmonLOVFWQkMCh41JHFrV6tw8y9hc/RNOb/m +gFAl4HpwYisjTRvsTRcpR3ElK6lI0Yu4GY4gJxj5qH4L5exR+kkylwuAxqP+wuyY +b/L/tP76F4+Q9SSPj0M01NRVC7V8m3yvnok5y374vtxvRFome0WMELn81vphxBLx +X7LQ1LyjvRs0HhN5MutJES5FYDzArTYZfZJozJgE465XrHxMMCbXbZ/AgAs/aD+5 +x+m2mFplbS57tMEoMBP/ezbbL5wpvA== +=KnaO +-----END PGP SIGNATURE----- + </pre> + </body> </html> -- 2.29.2
On a Monday in 2021, Peter Krempa wrote:
Peter Krempa (2): docs: downloads: Move 'signatures' section to the end of the document docs: downloads: Establish handover of package signing
docs/downloads.html.in | 64 +++++++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 14 deletions(-)
gpg: Signature made Mon 11 Jan 2021 10:52:23 AM CET gpg: using RSA key DB46681BB91ADCEA170FA2D415588B26596BEA5D gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown] gpg: aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. LGTM Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
On Mon, Jan 11, 2021 at 11:17:35 +0100, Peter Krempa wrote:
Peter Krempa (2): docs: downloads: Move 'signatures' section to the end of the document docs: downloads: Establish handover of package signing
docs/downloads.html.in | 64 +++++++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 14 deletions(-)
You can browse the resulting document here: https://pipo.sk.gitlab.io/-/libvirt/-/jobs/954785952/artifacts/website/downl...
participants (2)
-
Ján Tomko -
Peter Krempa