Thanks for asking this question. My GPG verification example had a fatal flaw in that I used the key hash which was reported to be used to do the signing to retrieve the key. It would be extremely challenging to create a different key with the same hash, but unless the signing hash is included in the release announcement, then the sig file could have been fabricated by anyone.
It seems necessary to at least include the signing hash in the release announcement, and ideally an independent way to retrieve the key such as from Even's web site, or from the repository at Gitlab. Bob On Tue, Oct 7, 2025, 3:11 PM Steve Jorgensen via Tiff <[email protected]> wrote: > The downloads at https://download.osgeo.org/libtiff/ have PGP signatures, > but I can't find any official source for the signer's public key. I can > import the key from a key server, but I have no assurance that the key > belongs to who it is claimed to belong to. > _______________________________________________ > Tiff mailing list > [email protected] > https://lists.osgeo.org/mailman/listinfo/tiff >
_______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
