On 10/31/2016 09:34 AM, Michał Górny wrote: > The major difference between a developer key and an automated key is > that the latter is far easier target. I think we can trust Gentoo > developers to at least have their keys encrypted. I suppose most of > them don't 'git log -p' the commits their sign but well, it's still > harder to target a developer PC than a public server that most likely > keeps its signature key unencrypted (or with cleartext password).
If you go this route it becomes more complex, as you need the private key stored on a smartcard to avoid leakage when secret key is handled in-memory (unencrypted properties - so I don't agree with your argument that developers store secret key encrypted). This is a lot better due to process separation in gnupg 2.1 as a parsing error in gpg doesn't have access to keys in gpg-agent as an example, but it is mostly wrong route to go on discussion. tl;dr; A signature by a release key is valuable -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
