On https://jami.net/download-jami-linux/ you can directly see the key
used to sign packages (A295D773307D25A33AE72F2F64CD5FA175348F84)
For fedora:
AmarOk@localhost ~ rpm -qpi
~/Downloads/ring-20190215.1.07c9194-1.fc29.x86_64.rpm | grep Signature
Signature : RSA/SHA512, Fri 15 Feb 2019 08:09:10 PM EST, Key ID
64cd5fa175348f84
On 2/24/19 7:52 AM, amuza wrote:
amuza:
Hi,
I have not found your OpenPGP keys or signed packages at jami.org
Maybe they are there and I have not found them. Please let me know if
you gpg-sign your packages.
Thank you!
As I got no answer, I guess you don't sign your packages.
But, if that's the case, why?
It would be good for every Jami user to have a public key we can always
trust when verifying a Jami package. Wouldn't it?
That is a very common thing, specially for this kind of software. Not
having it can make existing and potential new Jami users feel suspicious
or less secure.
Of course we users would need to trust the signer, maybe by trusting
some other signature in their key, but that's a complete different story.
