Verifying signed releases #1125
Comments
|
I uploaded my key:
FYI How to generate "ascii armor version": I just grabbed the key id from my ~/.gitconfig file. @joshuagl and @martinezjavier can you please do the same. I also recommend securely archiving revocation certs. I have a few generated for different scenarios:
|
|
We also should re-write our RELEASE.md to clarify this change. I still want to keep a public key as an object in the git repo. |
|
@williamcroberts as @diabonas mentioned, I already uploaded my key to a public keyserver (pgp.mit.edu) a long time ago. |
|
@martinezjavier sorry, senior moment. |
|
I've uploaded my key: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x49BCAE5443FFFC34 |
haha, no worries. I just mentioned to let you know that's already there. |
|
Nice, thank you very much @martinezjavier @williamcroberts @joshuagl! The next version of the Arch Linux AUR package for tpm2-tools will have signature verification enabled. |
Releases are currently signed by one of the three following PGP keys as described in RELEASE.md1:
I noticed that only the second of these keys seems to be available on a public keyserver. Would it be possible to add the other two keys to the OpenPGP keyserver pool as well?
This would make it much easier to verify a release automatically, e.g. in the build process of an Arch Linux User Repository (AUR) package, as users can import the keys directly using
gpg --receive-keys <fingerprint>instead of having to clone the Git repository and manually importing them from the tags.For the sister projects tpm2-tss and tpm2-abrmd, this is already the case, as documented in their RELEASE.md.
1 This document is a bit outdated, as it only lists the
william-roberts-pubtag, but the other two keys injavier-martinez-pubandjoshua-lock-pubcan be found easily by looking at the list of all tags.The text was updated successfully, but these errors were encountered: