https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5924
Summary: key infrastructure for sa-update is not properly
specified
Product: Spamassassin
Version: 3.2.4
Platform: Other
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sa-update
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
In SA 3.2.2, the SA Release Team key was used to sign SA rules updates. In SA
3.2.4, this seems to no longer be true, and/or the key and signature checking
by more recent versions of GnuPG could have become stricter. In any case,
running sa-update with the newer version fails due to an invalid signature.
The man page for sa-update mentions that the rule updates are signed by the SA
Release Team's key, but the corresponding wiki page specifies a different key.
It would be imho very much desirable to have some way to learn, and distribute,
authorized keys, so users (like me) can learn that this or that key is indeed
sanctioned to sign the rule update (or at least, rule updates done by the SA
Release Team). Currently, no such thing appears to be available.
I'd like to see something similar like the "Debian Keyring", but for works of
the SpamAssassin project, so I can adapt to eg. changing group members by
upgrading my keyring package in a secure way. Simply going to the wiki and
using cut&paste on the keys mentioned there does not carry the same amount of
confidence.
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
