On Tue, 23 Feb 2016, Till Maas wrote:
You can already get the keys at various places: - Fedora website - physical DVDs - fedora-repos git repository - fedora-repos RPM on kojipkgs - fedora-repos RPM Fedora mirrors - Fedora ISO images on Fedora mirrors - Eventually DNSSEC protected from DNS
I was very clear in saying fingerprint not keys. The original key file from the website contains only self-signed keys. The only way to know if these are valid is to check the fingerprint.
Also all recent Fedora keys were signed by me. So how many different places do we need to make it secure? I am also very interested in making this secure, but adding more random places to look does not help unless people a actually looking there.
Printing the fingerprint in prominent places makes faking the key nearly impossible, even if the ordinary user doesn't look there.
And since you did not notice that I signed the GPG keys, I guess you did not look much as well.
You didn't sign it in the download file from the verify page. Signing a key only helps if it is an assurance that the signer has checked the fingerprint. I could have signed the keys as well, but I didn't because I don't know anything about the fingerprint from first-hand. If you have a valid means of checking the fingerprint with the creator of the key and publicly confirm the fingerprint on the mailing list, this would be a step forward.
Btw before suggesting what to provide, maybe think of the instructions for users that would explain how to verify the keys
They are already asking the user on the verify page to run a gpg command, displaying the fingerprint is as easy as that. If you think you can improve things by signing keys, then take Gregory's advice and create a long-term signing key and add it's signature to new fedora release keys. AND print the fingerprint of this one key in many prominent places. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
