[Webkit-unassigned] [Bug 212027] New: [WPE][GTK] Use project-wide GPG key to sign releases, and upload it in binary format on webkitgtk.org/wpewebkit.org
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 18 08:18:21 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=212027
Bug ID: 212027
Summary: [WPE][GTK] Use project-wide GPG key to sign releases,
and upload it in binary format on
webkitgtk.org/wpewebkit.org
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
CC: bugs-noreply at webkitgtk.org
Currently releases are signed with Carlos's (or Adrian's) personal GPG key. Carlos's key also uses weak signing algorithms, which isn't great. Ideally we would refresh this with a WebKitGTK project key (and WPE WebKit project key, which might be the same).
Fedora packaging guidelines https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification require that the GPG key is uploaded in binary format (not PEM) to some website, so I've been using people.gnome.org to host Carlos's key. Ideally, the project key would be hosted on webkitgtk.org/wpewebkit.org. This is what I have currently in our RPM spec:
# Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3
Source2: https://people.gnome.org/~mcatanzaro/gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200518/5df166c0/attachment.htm>
More information about the webkit-unassigned
mailing list