Making PGP distribution key well-known
Petr Pisar
ppisar at redhat.com
Mon Mar 5 10:37:47 UTC 2012
On 2012-03-02, Kevin Fenzi <kevin at scrye.com> wrote:
> On Fri, 2 Mar 2012 12:53:35 +0000 (UTC)
> Petr Pisar <ppisar at redhat.com> wrote:
>
>> On 2012-03-01, Michal Schmidt <mschmidt at redhat.com> wrote:
>> > Dne 1.3.2012 17:52, Petr Pisar napsal(a):
>> >> where to get public key for verifying RPM signatures.
>> >
>> > The keys are at: https://fedoraproject.org/keys
>> >
>> And F16 primary key (A82BA4B7) is signed by... 1 guy. Awesome.
>>
>> And ISO images propagated on Fedora web pages have signatures where?
>> I see, one must trim the URL manually and hope the web server lists
>> directory and there will be a signature.
>
> https://fedoraproject.org/en/verify has a full list of them, but yes,
> they should be in the same directory.
>
> If you can think of a better way to present this data, do say.
>
Put them right next to shiny Download links. If the datails about size
are important enough, a link to signature could be there too. Like:
Download Now!
605MB, ISO format image for Intel-compatible PCs (32-bit), signature
Where the `signature' label would point to
<http://download.englab.brq.redhat.com/pub/fedora/linux/releases/16/Live/i686/Fedora-16-i686-Live-CHECKSUM>.
The `Verify Download' link is six sections underneath. Even bellow
export regulations which nobody reads. To far.
-- Petr
More information about the devel
mailing list