On Wed, Dec 20, 2023 at 7:21 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > Cathy Hu <cahu@xxxxxxx> writes: > > > Hi, > > > > thanks for the new userspace release. I was just packaging it for > > opensuse when I saw that the signing key changed. > > > > Could someone confirm if that is correct? I am just a bit unsure since > > the new key has no signatures from people that I frequently see on this > > mailinglist. > > > > New key (almost no signatures): > > https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index > > > > Old key (lots of signatures): > > https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index > > > > Thanks for checking signatures! > > This is correct. > > It's signed by me - Petr Lautrbach <lautrbach@xxxxxxxxxx> known as > bachradsusi on github and the public key could be found at > > https://github.com/bachradsusi.gpg > > This key is signed by > E853C1848B0185CF42864DF363A8AD4B982C4373 Petr Lautrbach > <plautrba@xxxxxxxxxx> which is signed by other guys ... Perhaps it makes sense to include some text in the README.md with information about what GPG fingerprints are valid for signing releases? Adding it to the README.md not only means that it is front and center on the GitHub page, it also means that any fingerprints added to the file will be part of the signed release tarballs providing a history of authorized GPG identities (although that doesn't help us until we build up that history). As an example, here is what we do in libseccomp: https://github.com/seccomp/libseccomp#verifying-release-tarballs -- paul-moore.com
