pkg-varnish-cache icon indicating copy to clipboard operation
pkg-varnish-cache copied to clipboard

Published 20 hours ago verified publisher icon varnishcache

RPM GPG Key / Fingerprint validation

Open jeremy-clerc opened this issue 4 years ago • 1 comments

Hello,

Looking at #49, I can see that RPMs are signed which is great. Though I cannot find a reliable (imho) source validating the signing GPG Key.

For varnish-6.0.6-1.el7.x86_64.rpm, Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb https://keyserver.ubuntu.com/pks/lookup?search=0x60e7c096c4deffeb&fingerprint=on&op=index

I can see in different script that you pull C4DEFFEB (which is the shortcut for the same key). https://keyserver.ubuntu.com/pks/lookup?search=0xC4DEFFEB&fingerprint=on&op=index

Fingerprint looks to be

pub   4096R/C4DEFFEB 2010-09-08 [expires: 2020-09-05]
      Key fingerprint = E98C 6BBB A1CB C5C3 EB2D  F21C 60E7 C096 C4DE FFEB
uid                  varnish-cache.org repository key <[email protected]>

Could you add the key and fingerprint to https://varnish-cache.org/security/gpg.html ? Or at least the fingerprint and where to get it in this repo README ?

Thanks!

jeremy-clerc avatar May 12 '20 09:05 jeremy-clerc

This makes complete sense. We'll get this sorted.

espebra avatar May 13 '20 07:05 espebra