[Webkit-unassigned] [Bug 212027] New: [WPE][GTK] Use project-wide GPG key to sign releases, and upload it in binary format on webkitgtk.org/wpewebkit.org

Mon May 18 08:18:21 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=212027

            Bug ID: 212027
           Summary: [WPE][GTK] Use project-wide GPG key to sign releases,
                    and upload it in binary format on
                    webkitgtk.org/wpewebkit.org
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

Currently releases are signed with Carlos's (or Adrian's) personal GPG key. Carlos's key also uses weak signing algorithms, which isn't great. Ideally we would refresh this with a WebKitGTK project key (and WPE WebKit project key, which might be the same).

Fedora packaging guidelines https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification require that the GPG key is uploaded in binary format (not PEM) to some website, so I've been using people.gnome.org to host Carlos's key. Ideally, the project key would be hosted on webkitgtk.org/wpewebkit.org. This is what I  have currently in our RPM spec:

# Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3
Source2:        https://people.gnome.org/~mcatanzaro/gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200518/5df166c0/attachment.htm>