Author: kwade Update of /cvs/fedora/web/html/About/security In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5687 Modified Files: index.php Log Message: updating at mark cox's request to match the current redhat.com/security page Index: index.php =================================================================== RCS file: /cvs/fedora/web/html/About/security/index.php,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- index.php 29 Nov 2005 17:32:24 -0000 1.1 +++ index.php 4 Jan 2007 23:39:46 -0000 1.2 @@ -7,91 +7,52 @@ ?> -<h1>GPG Keys</h1> +<h1>RPM Package Signing</h1> -<p>Fedora uses a number of GNU Privacy Guard (GPG) -keys to communicate securely. This document is designed to tell you -which keys we use for which purposes and how to verify those keys.</p> +<p>Fedora uses a number of GNU Privacy Guard (GPG) keys to sign our software +packages. The necessary public keys are included in relevant products and are +used automatically to verify software updates. You can also check the packages +manually using the keys on this page.</p> -<p>It is a good security practice to validate public keys that you receive and -to only trust validated keys. Therefore before trusting Red Hat public keys -you should attempt to validate the fingerprints from a number of sources, -and not rely solely on this page as being authentic.</p> - -<p>Public key validation, verification, and trust models are complicated -subjects. For further details consult the GPG documentation.</p> - -<p>To verify an RPM package, run the command:</p> +<p>To verify a RPM package for a Fedora product, run the command</p> <code class="screen"> rpm --checksig -v <filename>.rpm </code> -<p>The output of this command will show you if the package is signed -and who signed it.</p> +<p>The output of this command shows if the package is signed +and which key was used to sign it.</p> -<h2>Package Signing</h2> +<p>Please do not send messages encrypted with these public +keys.</p> -<p>Software packages distributed as part of the <? print $THE_PROJECT_NAME; ?> -are signed with the fedora@xxxxxxxxxx public key.</p> +<h2>Release Package Signing</h2> -<p><? print $THE_PROJECT_NAME; ?> fedora@xxxxxxxxxx public key is available -from a number of places:</p> - -<ul> - <li>From <A HREF="4F2A6FD2.txt">our website</A></li> - <li>In a <? print $RELEASE_NAME; ?> distribution, in the file <code class="filename">/usr/share/rhn/RPM-GPG-KEY-fedora</code> - <li>On a public keyserver, such as - <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x4f2a6fd2&op=index";>pgp.mit.edu</A></li> -</ul> - -<p>The fingerprint of the fedora@xxxxxxxxxx key is:</p> -<pre> -CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2 -</pre> - -<h2>Test Package Signing</h2> - -<p>From time to time, <? print $THE_PROJECT_NAME; ?> makes test software -available. This software may be signed using the <? print $PROJECT_NAME; ?> -test software key, id 0x30C9ECF8.</p> - -<p><? print $THE_PROJECT_NAME; ?> test software public key is available -from the following locations:</p> - -<ul> - <li>From <A HREF="30C9ECF8.txt">our website</A></li> - <li>In a <? print $RELEASE_NAME; ?> distribution, in the file <code class="filename">/usr/share/rhn/RPM-GPG-KEY-fedora-test</code> - <li>On a public keyserver, such as - <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x30c9ecf8&op=index";>pgp.mit.edu</A></li> -</ul> - -<p>The fingerprint of the <? print $PROJECT_NAME; ?> test software key is:</p> -<pre> -3166 C14A AE72 30D9 3B7A B2F6 DA84 CBD4 30C9 ECF8 -</pre> - -<h2>Automated Package Signing</h2> - -<p>From time to time, <? print $THE_PROJECT_NAME; ?> makes development software -available. This software may be signed by an automated build signing key. -Because this key is used automatically, we expect to change the key we sign -with from time to time.</p> - -<p>The current <? print $PROJECT_NAME; ?> automated build signing public -key, has key id 0x1CDDBCA9 and is available from a number of places:</p> - -<ul> - <li>From <A HREF="1CDDBCA9.txt">our website</A></li> - <li>On a public keyserver, such as - <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x1cddbca9&op=index";>pgp.mit.edu</A></li> -</ul> - -<p>The fingerprint of the <? print $PROJECT_NAME; ?> automated -build signing key is:</p> -<pre> -2312 6DEE 2014 B8A7 6CD6 D32C E138 5D4E 1CDD BCA9 -</pre> +<h3>4F2A6FD2: Fedora Project <fedora@xxxxxxxxxx></h3> +<br /> +<p> +This key is used for signing all Fedora Core releases and updates. +</p> +<p> +<strong>Location:</strong> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora<br /> +<strong>Download:</strong> <a href="4F2A6FD2.txt">Our website</a><br /> +<strong>Download:</strong> <a +href="http://pgp.mit.edu:11371/pks/lookup?search=0x4F2A6FD2&op=index";>pgp.mit.edu</a><br/> +<strong>Fingerprint:</strong> CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2 +</p> + +<h3>Test Package Signing</h3> + +<h2>30C9ECF8: Fedora Project (Test Software) <rawhide@xxxxxxxxxx></h2> +<br /> +This key is used for signing Fedora test software such as beta releases. +<p> +<strong>Location:</strong> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test<br /> +<strong>Download:</strong> <a href="30C9ECF8.txt">Red Hat</a><br /> +<strong>Download:</strong> <a +href="http://pgp.mit.edu:11371/pks/lookup?search=0x30C9ECF8&op=index";>pgp.mit.edu</a><br/> +<strong>Fingerprint:</strong> 3166 C14A AE72 30D9 3B7A B2F6 DA84 CBD4 30C9 ECF8 +</p> <?
