[libvirt PATCH] downloads.html: Add a link to GPG key used signing releases
While the key is available on public GPG key servers, having it locally at https://libvirt.org/sources/gpg_key.asc is even better. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- docs/downloads.html.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/downloads.html.in b/docs/downloads.html.in index ca14b3ecba..90a0cf7717 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre> on this project site are signed with a GPG signature. You should always verify the package signature before using the source to compile binary packages. The following key is currently used to generate the GPG - signatures: + signatures and it can be + <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this + site or from public GPG key servers: </p> <pre> pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> -- 2.31.1
On Thu, 2021-04-01 at 17:36 +0200, Jiri Denemark wrote:
While the key is available on public GPG key servers, having it locally at https://libvirt.org/sources/gpg_key.asc is even better.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- docs/downloads.html.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
I love the idea, but I would like to suggest a slightly alternative implementation of it: diff --git a/docs/downloads.html.in b/docs/downloads.html.in index ca14b3ecba..0187062cef 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -615,6 +615,12 @@ pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C </pre> + <p> + It can be downloaded from + <a href="https://libvirt.org/sources/gpg_key.asc">this site</a> or from + public GPG key servers. + </p> + <p> Releases prior to libvirt-6.6 were signed with the following GPG key: </p> What do you think? -- Andrea Bolognani / Red Hat / Virtualization
On a Thursday in 2021, Jiri Denemark wrote:
While the key is available on public GPG key servers, having it locally at https://libvirt.org/sources/gpg_key.asc is even better.
I don't remember where but I think someone was trying to find the key used to sign libvirt-glib. Also, Pavel uses his key to sign libvirt-dbus releases. We could reflect that in the naming scheme to put their keys there too. Or put all the keys in gpg_keys.asc, like GnuPG does: https://gnupg.org/signature_key.html I also noticed that we have empty folders there (csharp, go, ruby, rust) and that the 'old' release folder was not "updated" in a while.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- docs/downloads.html.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/downloads.html.in b/docs/downloads.html.in index ca14b3ecba..90a0cf7717 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre> on this project site are signed with a GPG signature. You should always verify the package signature before using the source to compile binary packages. The following key is currently used to generate the GPG - signatures: + signatures and it can be + <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this + site or from public GPG key servers:
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
</p> <pre> pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> -- 2.31.1
On Thu, Apr 01, 2021 at 20:18:33 +0200, Ján Tomko wrote:
On a Thursday in 2021, Jiri Denemark wrote:
While the key is available on public GPG key servers, having it locally at https://libvirt.org/sources/gpg_key.asc is even better.
Oops, I completely forgot I have this patch in queue :-)
I don't remember where but I think someone was trying to find the key used to sign libvirt-glib. Also, Pavel uses his key to sign libvirt-dbus releases.
I guess such keys could be stored in the subdirectories associated with these projects. Jirka
participants (3)
-
Andrea Bolognani -
Jiri Denemark -
Ján Tomko