Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The keys actually used to sign the downloads are missing from gpg_keys.html #4001

Open
dlangBugzillaToGithub opened this issue Jan 7, 2024 · 0 comments
Open

The keys actually used to sign the downloads are missing from gpg_keys.html #4001

dlangBugzillaToGithub opened this issue Jan 7, 2024 · 0 comments
Labels
Arch:x86 OS:Windows P1 Severity:normal

Comments

@dlangBugzillaToGithub
Copy link

Forest reported this on 2024-01-07T22:01:46Z

Transferred from https://issues.dlang.org/show_bug.cgi?id=24322

Description

https://dlang.org/gpg_keys.html lists a bunch of gpg key fingerprints, but none of them match the signatures offered on download.html.

Closer inspection reveals that the signatures were made by subkeys, and since gpg_keys.html omits the subkey fingerprints, it cannot be used to check that the signatures are good. In other words, gpg_keys.html is currently useless, and can even lead someone to think the downloads might have been tampered with.

Suggestion:

Regenerate gpg_keys.html using the output of gpg --list-keys --with-subkey-fingerprint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Arch:x86 OS:Windows P1 Severity:normal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dlangBugzillaToGithub