On Wed, May 04, 2022 at 08:31:24AM +0200, Thomas Huth wrote:
> On 04/05/2022 02.21, Michael Roth wrote:
> > We used to have public keys listed on the SecurityProcess page back
> > when it was still part of the wiki, but they are no longer available
> > there and some users have asked where to obtain them so they can verify
> > the tarball signatures.
> >
> > That was probably not a great place for them anyway, so address this by
> > adding the public signing key directly to the download page.
> >
> > Since a compromised tarball has a high likelyhood of coinciding with a
> > compromised host (in general at least), also include some information
> > so they can verify the correct signing key via stable tree git tags if
> > desired.
> >
> > Reported-by: Stefan Hajnoczi <stefa...@redhat.com>
> > Signed-off-by: Michael Roth <michael.r...@amd.com>
> > ---
> > _download/source.html | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/_download/source.html b/_download/source.html
> > index 8671f4e..c0a55ac 100644
> > --- a/_download/source.html
> > +++ b/_download/source.html
> > @@ -23,6 +23,7 @@ make
> > </pre>
> > {% endfor %}
> > + <p>Source tarballs on this site are generated and signed by the package
> > maintainer using the public key <a
> > href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584";>F108B584</a>.
>
> I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the
> <a> and </a>, since short key IDs are a no-go nowadays.Yes, AFAIK 32-bit key IDs are considered insecure and 64-bit should be used. Stefan
signature.asc
Description: PGP signature
