[libvirt PATCH] downloads.html: Add a link to GPG key used signing releases

Jiri Denemark posted 1 patch 1 week, 5 days ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/516c6ba1fb941a0f695f173d82e12c4b9f386401.1617291359.git.jdenemar@redhat.com
docs/downloads.html.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

[libvirt PATCH] downloads.html: Add a link to GPG key used signing releases

Posted by Jiri Denemark 1 week, 5 days ago
While the key is available on public GPG key servers, having it locally
at https://libvirt.org/sources/gpg_key.asc is even better.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 docs/downloads.html.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index ca14b3ecba..90a0cf7717 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre>
       on this project site are signed with a GPG signature. You should always
       verify the package signature before using the source to compile binary
       packages. The following key is currently used to generate the GPG
-      signatures:
+      signatures and it can be
+      <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this
+      site or from public GPG key servers:
     </p>
     <pre>
 pub  4096R/10084C9C 2020-07-20 Jiří Denemark &lt;jdenemar@redhat.com&gt;
-- 
2.31.1

Re: [libvirt PATCH] downloads.html: Add a link to GPG key used signing releases

Posted by Ján Tomko 1 week, 5 days ago
On a Thursday in 2021, Jiri Denemark wrote:
>While the key is available on public GPG key servers, having it locally
>at https://libvirt.org/sources/gpg_key.asc is even better.
>

I don't remember where but I think someone was trying to find the
key used to sign libvirt-glib. Also, Pavel uses his key to sign
libvirt-dbus releases.

We could reflect that in the naming scheme to put their keys there too.
Or put all the keys in gpg_keys.asc, like GnuPG does:
https://gnupg.org/signature_key.html

I also noticed that we have empty folders there (csharp, go, ruby, rust) and that
the 'old' release folder was not "updated" in a while.

>Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
>---
> docs/downloads.html.in | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/docs/downloads.html.in b/docs/downloads.html.in
>index ca14b3ecba..90a0cf7717 100644
>--- a/docs/downloads.html.in
>+++ b/docs/downloads.html.in
>@@ -608,7 +608,9 @@ git clone git://libvirt.org/[module name].git</pre>
>       on this project site are signed with a GPG signature. You should always
>       verify the package signature before using the source to compile binary
>       packages. The following key is currently used to generate the GPG
>-      signatures:
>+      signatures and it can be
>+      <a href="https://libvirt.org/sources/gpg_key.asc">downloaded</a> from this
>+      site or from public GPG key servers:

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano

>     </p>
>     <pre>
> pub  4096R/10084C9C 2020-07-20 Jiří Denemark &lt;jdenemar@redhat.com&gt;
>-- 
>2.31.1
>

Re: [libvirt PATCH] downloads.html: Add a link to GPG key used signing releases

Posted by Jiri Denemark 4 days, 22 hours ago
On Thu, Apr 01, 2021 at 20:18:33 +0200, Ján Tomko wrote:
> On a Thursday in 2021, Jiri Denemark wrote:
> >While the key is available on public GPG key servers, having it locally
> >at https://libvirt.org/sources/gpg_key.asc is even better.
> >

Oops, I completely forgot I have this patch in queue :-)

> I don't remember where but I think someone was trying to find the
> key used to sign libvirt-glib. Also, Pavel uses his key to sign
> libvirt-dbus releases.

I guess such keys could be stored in the subdirectories associated with
these projects.

Jirka

Re: [libvirt PATCH] downloads.html: Add a link to GPG key used signing releases

Posted by Andrea Bolognani 1 week, 5 days ago
On Thu, 2021-04-01 at 17:36 +0200, Jiri Denemark wrote:
> While the key is available on public GPG key servers, having it locally
> at https://libvirt.org/sources/gpg_key.asc is even better.
> 
> Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
> ---
>  docs/downloads.html.in | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

I love the idea, but I would like to suggest a slightly alternative
implementation of it:

diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index ca14b3ecba..0187062cef 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -615,6 +615,12 @@ pub  4096R/10084C9C 2020-07-20 Jiří Denemark &lt;jdenemar@redhat.com&gt;
 Fingerprint=453B 6531 0595 5628 5547  1199 CA68 BE80 1008 4C9C
 </pre>

+    <p>
+      It can be downloaded from
+      <a href="https://libvirt.org/sources/gpg_key.asc">this site</a> or from
+      public GPG key servers.
+    </p>
+
     <p>
       Releases prior to libvirt-6.6 were signed with the following GPG key:
     </p>

What do you think?

-- 
Andrea Bolognani / Red Hat / Virtualization