Hi, > These appear in only one place, on the coreboot.org Downloads page, and > are signed with the key: > > D861AB74FB933260193399696B249D77269C04E1 > > The only problem is there is apparently no mention of the signing key > anywhere else on the coreboot website. I usually look for some explicit, > official reference (preferably in multiple contexts) to a person or > org's key ID before downloading it from a keyserver. Taking the key ID > from an object signature doesn't satisfy that requirement. For whatever it's worth: that's my key (for my non-corporate email addresses) and I'm the legit (and to my knowledge) only holder of its private key.
I guess I could add it to the site but then again that's the same server as the one you're download the archive and signature from, so if somebody manages to tamper with the archive they could also put their own key there. I'll make sure to get a few signatures onto the key so it's hooked up with the web of trust, but that won't happen very soon. Patrick Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado _______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
