Making PGP distribution key well-known

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As new Fedora release looms ahead, I'd like open discussion about
verifying distribution integrity. In short---where to get public key for
verifying RPM signatures.

If I remember correctly, you are asked to accept new signing key by rpm
while installing fedora-release package from new Fedora release. Problem
is, there is no way how how to verify the key beeing accepted.

I have been told by RPM developers, RPM allows multiple signatures.
Whould it be possible to sign fedora-relase package from F17 with key
used in F16 in addition?

This procedure would create chain of trust from older to newer Fedora
release making upgrade more secured.

Of course other good approach is to sign F17 public key by well-known
Fedora developers and publish the key with its singatures, e.g. on PGP
key servers.

-- Petr

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux