We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.
That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.
Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.
Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
_download/source.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
</pre>
{% endfor %}
+ <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>.