reuse-tool icon indicating copy to clipboard operation
reuse-tool copied to clipboard

Published 20 hours ago verified publisher icon fsfe

Document the key used to sign releases

Open zyga opened this issue 3 years ago • 6 comments

The debian pypi redirector [1] detects a gpg key used for signing releases. It would be easier to verify those if the project published a gpg keyring with keys that can sign upstream releases.

[1] https://pypi.debian.net/reuse/

zyga avatar Mar 01 '21 15:03 zyga

Definitely helpful, thanks for the idea.

@carmenbianca Did you so far used your private GPG key for this, or is there a separate one?

mxmehl avatar Mar 11 '21 14:03 mxmehl

Answering my own question: yes, we use private keys, namely @carmenbianca's (2A09F62739F6DEC8CFFCA216CD0A90F1C5CA0C92) and mine (A942CD00386B3CB26BA9BB652704E4AB371E2E92)

Any suggestions how to best document this? README?

mxmehl avatar Jun 01 '22 13:06 mxmehl

Would it be OK for the core team if I included all of their public key IDs in the README?

linozen avatar Jun 09 '22 15:06 linozen

For me that would be fine. @floriansnow @nicorikken, for you?

mxmehl avatar Jul 26 '22 12:07 mxmehl

Fine by me

carmenbianca avatar Jul 26 '22 12:07 carmenbianca

I don't see myself singing the release in the near future so I don't think we have to include my key at this moment.

nicorikken avatar Aug 11 '22 07:08 nicorikken