[libvirt PATCH] docs: Mention GPG key used for signing releases

Jiri Denemark posted 1 patch 1 week ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/ec948161c005626cd87c6827db318d9a56cfe613.1602674985.git.jdenemar@redhat.com
docs/downloads.html.in | 14 ++++++++++++++
1 file changed, 14 insertions(+)

[libvirt PATCH] docs: Mention GPG key used for signing releases

Posted by Jiri Denemark 1 week ago
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---

Notes:
    Should we also make the key available for download?

 docs/downloads.html.in | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index 43366b3694..aa0bb23d45 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -493,6 +493,20 @@
       <li><a href="https://libvirt.org/sources/">libvirt.org HTTPS server</a></li>
     </ul>
 
+    <h2><a id="keys">Signing keys</a></h2>
+
+    <p>
+      Source RPM packages and tarballs for libvirt and libvirt-python published
+      on this project site are signed with a GPG signature. You should always
+      verify the package signature before using the source to compile binary
+      packages. The following key is currently used to generate the GPG
+      signatures:
+    </p>
+    <pre>
+pub  4096R/10084C9C 2020-07-20 Jiří Denemark &lt;jdenemar@redhat.com&gt;
+Fingerprint=453B 6531 0595 5628 5547  1199 CA68 BE80 1008 4C9C
+</pre>
+
     <h2><a id="schedule">Primary release schedule</a></h2>
 
     <p>
-- 
2.28.0

Re: [libvirt PATCH] docs: Mention GPG key used for signing releases

Posted by Erik Skultety 1 week ago
On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
> Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
> ---
> 
> Notes:
>     Should we also make the key available for download?

Now that you've provided the fingerprint, isn't it enough for the users to
fetch it from a keyserver should they wish so?

Reviewed-by: Erik Skultety <eskultet@redhat.com>

Re: [libvirt PATCH] docs: Mention GPG key used for signing releases

Posted by Jiri Denemark 1 week ago
On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
> On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
> > Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
> > ---
> > 
> > Notes:
> >     Should we also make the key available for download?
> 
> Now that you've provided the fingerprint, isn't it enough for the users to
> fetch it from a keyserver should they wish so?

Sure, it is enough. I just wanted to make sure I wasn't the only one who
thought so :-)

> Reviewed-by: Erik Skultety <eskultet@redhat.com>

Pushed, thanks.

Jirka

Re: [libvirt PATCH] docs: Mention GPG key used for signing releases

Posted by Eric Blake 1 week ago
On 10/14/20 11:11 AM, Jiri Denemark wrote:
> On Wed, Oct 14, 2020 at 17:28:54 +0200, Erik Skultety wrote:
>> On Wed, Oct 14, 2020 at 01:38:41PM +0200, Jiri Denemark wrote:
>>> Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
>>> ---
>>>
>>> Notes:
>>>      Should we also make the key available for download?
>>
>> Now that you've provided the fingerprint, isn't it enough for the users to
>> fetch it from a keyserver should they wish so?
> 
> Sure, it is enough. I just wanted to make sure I wasn't the only one who
> thought so :-)

The problem is that more and more keyservers are being rendered 
worthless by spam keys exploiting their append-only nature, which makes 
them no longer an ideal way to get a key.  I'd recommend making it 
available for download here in addition to the keyservers.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org