docs/downloads.html.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
While the key is available on public GPG key servers, having it locally
at https://libvirt.org/sources/gpg_key.asc is even better.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
docs/downloads.html.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index ca14b3ecba..90a0cf7717 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre>
on this project site are signed with a GPG signature. You should always
verify the package signature before using the source to compile binary
packages. The following key is currently used to generate the GPG
- signatures:
+ signatures and it can be
+ <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this
+ site or from public GPG key servers:
</p>
<pre>
pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com>
--
2.31.1
On Thu, 2021-04-01 at 17:36 +0200, Jiri Denemark wrote: > While the key is available on public GPG key servers, having it locally > at https://libvirt.org/sources/gpg_key.asc is even better. > > Signed-off-by: Jiri Denemark <jdenemar@redhat.com> > --- > docs/downloads.html.in | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) I love the idea, but I would like to suggest a slightly alternative implementation of it: diff --git a/docs/downloads.html.in b/docs/downloads.html.in index ca14b3ecba..0187062cef 100644 --- a/docs/downloads.html.in +++ b/docs/downloads.html.in @@ -615,6 +615,12 @@ pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> Fingerprint=453B 6531 0595 5628 5547 1199 CA68 BE80 1008 4C9C </pre> + <p> + It can be downloaded from + <a href="https://libvirt.org/sources/gpg_key.asc">this site</a> or from + public GPG key servers. + </p> + <p> Releases prior to libvirt-6.6 were signed with the following GPG key: </p> What do you think? -- Andrea Bolognani / Red Hat / Virtualization
On a Thursday in 2021, Jiri Denemark wrote: >While the key is available on public GPG key servers, having it locally >at https://libvirt.org/sources/gpg_key.asc is even better. > I don't remember where but I think someone was trying to find the key used to sign libvirt-glib. Also, Pavel uses his key to sign libvirt-dbus releases. We could reflect that in the naming scheme to put their keys there too. Or put all the keys in gpg_keys.asc, like GnuPG does: https://gnupg.org/signature_key.html I also noticed that we have empty folders there (csharp, go, ruby, rust) and that the 'old' release folder was not "updated" in a while. >Signed-off-by: Jiri Denemark <jdenemar@redhat.com> >--- > docs/downloads.html.in | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/docs/downloads.html.in b/docs/downloads.html.in >index ca14b3ecba..90a0cf7717 100644 >--- a/docs/downloads.html.in >+++ b/docs/downloads.html.in >@@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre> > on this project site are signed with a GPG signature. You should always > verify the package signature before using the source to compile binary > packages. The following key is currently used to generate the GPG >- signatures: >+ signatures and it can be >+ <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this >+ site or from public GPG key servers: Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano > </p> > <pre> > pub 4096R/10084C9C 2020-07-20 Jiří Denemark <jdenemar@redhat.com> >-- >2.31.1 >
On Thu, Apr 01, 2021 at 20:18:33 +0200, Ján Tomko wrote: > On a Thursday in 2021, Jiri Denemark wrote: > >While the key is available on public GPG key servers, having it locally > >at https://libvirt.org/sources/gpg_key.asc is even better. > > Oops, I completely forgot I have this patch in queue :-) > I don't remember where but I think someone was trying to find the > key used to sign libvirt-glib. Also, Pavel uses his key to sign > libvirt-dbus releases. I guess such keys could be stored in the subdirectories associated with these projects. Jirka
© 2016 - 2024 Red Hat, Inc.