Looks like openssl tar balls are signed with a different PGP key for each source tar ball. For example, openssl-0.9.7b.tar.gz was signed using a key with key id E06D2CB1 and openssl-0.9.7c.tar.gz was signed with key id 49A563D9.
My question is why not sign the released tar ball using the shared OpenSSL Team Security Key instead of a developer's key?
Because role keys suck.
Or should the user import all developers PGP key to make the integrity check work?
Yes.
I use openssl in my daily job and really love it's power. However, if all the newly released tar ball can be signed with the same shared team PGP key, it will be easier for the user to do the integrity check.
http://keyman.aldigital.co.uk/ (and no, OpenSSL doesn't use it, but it should).
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
