gpg keychain repo?
Jonathan Riddell
jr at jriddell.org
Thu Jul 1 14:00:38 BST 2021
This is a good idea and doesn't need to be anything complex at all. The
problem currently is that people announce apps and often don't include
their gpg key fingerprint, when they do include their gpg fingerprint it's
then difficult to find where the full gpg key is published. So this just
needs to be a normal repo that KDE devs can put their full public gpg key
into. Then it needs releaseme's templates to nudge app release managers to
put their gpg key in this repo and point to the location so us distro
packagers can find it easily and copy it into our packaging for
verification.
No extra security is needed, the known-good entity is the release
announcement email or website or blog post. It just needs an easy way to
publish the gpg key and point to it.
Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/distributions/attachments/20210701/0456c8ee/attachment.htm>
More information about the Distributions
mailing list