I know I can reliably verify the integrity of LibreOffice installation files via the SHA-256 hashes, but LibreOffice does also provide PGP detached signatures for these files, and the GnuPG keys are available from any key server. So why not use them?
However after extensive searching and browsing around, I can’t find an HTTPS page on libreoffice.org where the *fingerprint* of the code signing key is explicitly displayed. This would allow me to verify that the key server has sent me the genuine key by comparing its fingerprint with the one on the website (*presumed unhacked*), and then locally sign the LibreOffice key on my keychain in the most PGP-ically correct way. Is there such a page on the website? It could also centralize other cryptographically significant information (key material, certificate fingerprints, etc.) useful for users of the website or software. If there is no such page, what is the best place to start a request for the same? I’m not a developer, but I could contribute a relevant bug/enhancement request to whatever tracking system is used for the website. -- To unsubscribe e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
