qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [qemu-web PATCH] Add public key for tarball-signing to download page

From: Thomas Huth
Subject: Re: [qemu-web PATCH] Add public key for tarball-signing to download page
Date: Wed, 4 May 2022 08:31:24 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 
On 04/05/2022 02.21, Michael Roth wrote:

We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.

That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.

Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.

Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
  _download/source.html | 1 +
  1 file changed, 1 insertion(+)

diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
  </pre>
        {% endfor %}
+ <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584";>F108B584</a>.
I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the <a> and </a>, since short key IDs are a no-go nowadays. 

Apart from that:

Reviewed-by: Thomas Huth <thuth@redhat.com>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]