Techaro signing keys #386
Replies: 3 comments 1 reply
-
|
If you don't intend to cross-sign the keys, you should probably sign the table with your root key, and any changes to these keys needs to be signed by that root key. That would give you some form of transitive trust between the keys. |
Beta Was this translation helpful? Give feedback.
-
|
FYI we're consuming the Git tag at https://gitlab.archlinux.org/archlinux/packaging/packages/anubis/-/blob/main/PKGBUILD and that's not signed. |
Beta Was this translation helpful? Give feedback.
-
|
It will be signed next release using the "packages" signing key. |
Beta Was this translation helpful? Give feedback.
-
|
Is there a repo for Debian and Fedora? I would love to get updates automatically for native packages |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hey all,
I'm working on package signing for Anubis, Yeet, and other Techaro products. This is a pre-announcement of what keys you should add to your GPG keyrings.
The keysigning table may be found here with signature here.
In general, you will see the packages signing key the most often. The root signing key is stored on a hardware two factor token in a locked box in my office.
I have signed all of the assets generated in v1.17.0 so that interested parties can test validating the signatures.
Please let me know if there are any issues with these keys.
Beta Was this translation helpful? Give feedback.
All reactions